GitLab issued urgent security patches for its Community Edition (CE) and Enterprise Edition (EE) to address 11 distinct vulnerabilities.
Among these are three high-severity flaws that pose significant risks, potentially allowing malicious actors to execute unauthorized code, forge requests, and compromise user session tokens.
While GitLab.com and GitLab Dedicated environments have already received automatic updates, administrators of self-managed installations are strongly urged to apply the patches immediately. The security updates are available in versions 18.11.1, 18.10.4, and 18.9.6.
Critical High-Severity Vulnerabilities
The emergency release prioritizes three high-severity vulnerabilities that require immediate attention from security teams. These flaws could be leveraged to hijack authenticated sessions or expose sensitive authentication tokens:
- CVE-2026-4922 (CVSS 8.1): A Cross-Site Request Forgery (CSRF) vulnerability in the GraphQL API enables unauthenticated attackers to execute GraphQL mutations on behalf of authenticated users, effectively hijacking session actions across all GitLab versions from 17.0 before 18.9.6.
- CVE-2026-5816 (CVSS 8.0): Identified as an improper path validation bug within the Web IDE asset, this vulnerability allows unauthenticated users to execute arbitrary JavaScript inside a victim’s browser session, leading to complete session hijacking in versions from 18.10 before 18.10.4.
- CVE-2026-5262 (CVSS 8.0): A Cross-Site Scripting (XSS) vulnerability was discovered in the Storybook development environment that could leak authentication tokens to unauthenticated users due to improper input validation, affecting versions 16.1 and later.
Summary of Patched Vulnerabilities
| CVE ID | Vulnerability Type | Severity | CVSS Score |
|---|---|---|---|
| CVE-2026-4922 | CSRF – GraphQL API | High | 8.1 |
| CVE-2026-5816 | Path Equivalence – Web IDE | High | 8.0 |
| CVE-2026-5262 | XSS – Storybook | High | 8.0 |
| CVE-2025-0186 | DoS – Discussions Endpoint | Medium | 6.5 |
| CVE-2026-1660 | DoS – Jira Import | Medium | 6.5 |
| CVE-2025-6016 | DoS – Notes Endpoint | Medium | 6.5 |
| CVE-2025-3922 | DoS – GraphQL API | Medium | 6.5 |
| CVE-2026-6515 | Session Expiration – Virtual Registry | Medium | 5.4 |
| CVE-2026-5377 | Access Control – Issue Renderer | Medium | 4.3 |
| CVE-2026-3254 | UI Restriction – Mermaid Sandbox | Low | 3.5 |
| CVE-2025-9957 | Access Control – Fork API | Low | 2.7 |
Denial-of-Service and Medium Risks
In addition to the high-severity threats, GitLab patched four medium-severity Denial-of-Service (DoS) vulnerabilities.
If exploited, these flaws could allow authenticated users to aggressively exhaust server resources, potentially disrupting critical development workflows and CI/CD pipelines.
CVE-2025-0186, CVE-2025-6016, and CVE-2025-3922 can be triggered by crafted requests to the discussions endpoint, the notes endpoint, and the GraphQL API, respectively. Similarly, CVE-2026-1660 allows authenticated users to initiate a DoS condition during Jira issue imports due to improper input validation.
Beyond the DoS risks, the update resolves an Insufficient Session Expiration bug (CVE-2026-6515, CVSS 5.4). Discovered internally by GitLab team member David Fernandez, this flaw allowed invalidated or improperly scoped credentials to retain access to Virtual Registries.
Furthermore, two access control vulnerabilities (CVE-2026-5377 and CVE-2025-9957) were mitigated, which previously allowed authenticated users to bypass group fork-prevention policies and view confidential issue titles.
Remediation and Responsible Disclosure
According to the GitLab advisory, it strongly recommends that all self-managed instance administrators immediately upgrade their deployments to versions 18.11.1, 18.10.4, or 18.9.6. Delaying these critical patches leaves enterprise infrastructure vulnerable to session hijacking and resource exhaustion attacks.
The majority of these vulnerabilities were responsibly reported through GitLab’s HackerOne bug bounty program by security researchers, including ahacker1, joaxcar, and pwnie.
Detailed security advisories for each flaw are scheduled to be published on GitLab’s public issue tracker 30 days following this patch release, giving administrators a reasonable window to secure their environments.
No Comment! Be the first one.