GitLab Patches Critical DoS & Code Injection Multiple Vulnerabilities

GitLab has released urgent security updates for its Community Edition (CE) and Enterprise Edition (EE), patching several high-severity vulnerabilities. Specifically, versions 18.10.3, 18.9.5, and 18.8.9 are now available to address flaws that could enable Denial-of-Service (DoS) and code-injection attacks

GitLab strongly advises all administrators of self-managed systems to upgrade immediately to protect their instances.

High-Severity Vulnerabilities

The latest security release resolves three high-severity bugs that pose significant risks to GitLab environments:

• CVE-2026-5173 (CVSS 8.5): An authenticated attacker could execute unintended server-side commands through WebSocket connections due to improper access controls.
• CVE-2026-1092 (CVSS 7.5): An unauthenticated user could trigger a Denial of Service attack by submitting improperly validated JSON data to the Terraform state lock API.
• CVE-2025-12664 (CVSS 7.5): Attackers without an account could cause a DoS condition by overwhelming the server with repeated GraphQL queries.

Alongside the severe issues, GitLab addressed several medium-level vulnerabilities that could compromise user safety and system stability:

• CVE-2026-1516 (CVSS 5.7): An authenticated user could inject malicious code into Code Quality reports, secretly leaking the IP addresses of other users who view the report.
• CVE-2026-1403 (CVSS 6.5): Weak validation of CSV files could allow authenticated users to crash background Sidekiq workers during file import.
• CVE-2026-4332 (CVSS 5.4): Poor input filtering in analytics dashboards could allow attackers to execute harmful JavaScript code in the browsers of other users.
• CVE-2026-1101 (CVSS 6.5): Bad input validation in GraphQL queries could allow an authenticated user to cause a DoS of the entire GitLab instance.

Additional Security Patches

The update also includes several lower-severity patches that resolve data leaks and broken access controls:

• CVE-2026-2619 (CVSS 4.3): Incorrect authorization allowed authenticated users with auditor privileges to modify vulnerability flag data in private projects.
• CVE-2025-9484 (CVSS 4.3): An information disclosure bug allowed authenticated users to view other users’ email addresses through specific GraphQL queries.
• CVE-2026-1752 (CVSS 4.3): Improper access controls allowed developers to modify protected environment settings.
• CVE-2026-2104 (CVSS 4.3): Insufficient authorization checks in CSV exports allowed users to access confidential issues assigned to others.
• CVE-2026-4916 (CVSS 2.7): A missing authorization check allows users with custom roles to demote or remove higher-privileged group members.

GitLab emphasizes that all self-managed installations must be upgraded to versions 18.10.3, 18.9.5, or 18.8.9 as soon as possible.

Because these updates do not require complex database changes, multi-node deployments can be upgraded without any system downtime.

Users hosted on GitLab.com or using GitLab Dedicated are already safe, as the company has applied the patches to its cloud servers.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.