Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
CISA Warns of Exploited SimpleHelp Authentication Bypass Vulnerability
July 2, 2026
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Home/CyberSecurity News/GitLab Patches Critical Vulnerabilities Enabling DoS and Code Injection
CyberSecurity News

GitLab Patches Critical Vulnerabilities Enabling DoS and Code Injection

Key Takeaways GitLab has released critical security updates for its Community Edition (CE) and Enterprise Edition (EE) to address multiple high-severity vulnerabilities. The patches resolve flaws...

Emy Elsamnoudy
Emy Elsamnoudy
April 9, 2026 3 Min Read
27 0

Key Takeaways

  • GitLab has released critical security updates for its Community Edition (CE) and Enterprise Edition (EE) to address multiple high-severity vulnerabilities.
  • The patches resolve flaws that could lead to Denial-of-Service (DoS) attacks, arbitrary code injection, and information disclosure.
  • Affected versions include 18.10.x, 18.9.x, and 18.8.x, with immediate upgrades to 18.10.3, 18.9.5, or 18.8.9 strongly recommended for self-managed instances.
  • Users of GitLab.com and GitLab Dedicated are automatically protected as patches have been applied to cloud environments.

GitLab has issued an urgent security advisory, releasing crucial updates for its self-managed Community Edition (CE) and Enterprise Edition (EE) platforms. These patches are designed to mitigate several high-severity vulnerabilities that could enable Denial-of-Service (DoS) attacks and remote code injection.

Table Of Content

  • Key Takeaways
  • High-Impact Vulnerabilities Addressed
  • Medium-Severity Flaws Patched
  • Additional Security Enhancements
  • What You Should Do

System administrators overseeing self-managed GitLab installations are strongly urged to apply the updates without delay to safeguard their systems from potential exploits. The patched versions, specifically 18.10.3, 18.9.5, and 18.8.9, are now available.

High-Impact Vulnerabilities Addressed

The latest security release targets three significant vulnerabilities categorized as high-severity, each posing distinct threats to the integrity and availability of GitLab environments.

  • CVE-2026-5173 (CVSS 8.5): This critical flaw allows an authenticated attacker to execute arbitrary server-side commands. The vulnerability stems from inadequate access controls within WebSocket connections, enabling unauthorized command execution.
  • CVE-2026-1092 (CVSS 7.5): An unauthenticated attacker could trigger a Denial-of-Service condition. This is possible by submitting malformed JSON data to the Terraform state lock API, leading to system instability or unavailability.
  • CVE-2025-12664 (CVSS 7.5): Even without authentication, an attacker can initiate a DoS attack. This vulnerability permits overwhelming the server through repeated and excessive GraphQL queries, disrupting normal operations.

Medium-Severity Flaws Patched

In addition to the high-severity issues, GitLab has also addressed several medium-level vulnerabilities that could compromise user privacy and system stability. These include:

  • CVE-2026-1516 (CVSS 5.7): An authenticated user could inject malicious code into Code Quality reports. This could secretly leak the IP addresses of other users who view the compromised report.
  • CVE-2026-1403 (CVSS 6.5): Weak validation of CSV files during import operations could allow authenticated users to crash background Sidekiq workers, affecting system performance and reliability.
  • CVE-2026-4332 (CVSS 5.4): Insufficient input filtering in analytics dashboards could enable attackers to execute harmful JavaScript code within the browsers of other users, leading to cross-site scripting (XSS) attacks.
  • CVE-2026-1101 (CVSS 6.5): Poor input validation in GraphQL queries could permit an authenticated user to cause a Denial-of-Service condition for the entire GitLab instance.

Additional Security Enhancements

The comprehensive update package also incorporates several lower-severity patches, resolving issues related to data leaks and broken access controls within the platform.

  • CVE-2026-2619 (CVSS 4.3): Incorrect authorization mechanisms allowed authenticated users with auditor privileges to modify vulnerability flag data within private projects, potentially altering security posture records.
  • CVE-2025-9484 (CVSS 4.3): An information disclosure vulnerability enabled authenticated users to view other users’ email addresses by exploiting specific GraphQL queries.
  • CVE-2026-1752 (CVSS 4.3): Improper access controls allowed developers to modify protected environment settings, potentially circumventing intended security policies.
  • CVE-2026-2104 (CVSS 4.3): Insufficient authorization checks in CSV exports allowed users to access confidential issues assigned to others, leading to unauthorized data exposure.
  • CVE-2026-4916 (CVSS 2.7): A missing authorization check allowed users with custom roles to demote or remove higher-privileged group members, disrupting organizational hierarchies and access controls.

GitLab explicitly underscores the critical need for all self-managed installations to be upgraded to versions 18.10.3, 18.9.5, or 18.8.9 as quickly as possible. These updates are designed to be minimally disruptive, with multi-node deployments capable of being upgraded without any system downtime, as they do not necessitate complex database changes.

Users operating on GitLab.com or utilizing GitLab Dedicated services are already safeguarded, as the company has proactively deployed these patches across its cloud infrastructure.

What You Should Do

  • Upgrade Immediately: If you manage a self-hosted GitLab CE or EE instance, update to versions 18.10.3, 18.9.5, or 18.8.9 without delay.
  • Review Release Notes: Consult the official GitLab release notes for detailed information on the patches and any specific considerations for your environment.
  • Verify Patch Application: After upgrading, confirm that the patches have been successfully applied and your GitLab instance is running the secure versions.
  • Monitor Systems: Continue to monitor your GitLab instances for any unusual activity or indicators of compromise.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEPatchSecurityVulnerability

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

CISA Warns of Critical Ivanti EPMM CVE-2023-35082 Exploited in Attacks

Next Post

Hackers Impersonate Linux Foundation Leader on Slack to Target Open Source Developers

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Apple Hide My Email Flaw Exposed Real User Email Addresses
July 1, 2026
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us