GitLab has recently issued critical security updates for its Community Edition (CE) and Enterprise Edition (EE), addressing several high-severity vulnerabilities that could lead to Denial-of-Service (DoS) and code injection attacks. Administrators of self-managed GitLab instances are strongly urged to upgrade to versions 18.10.3, 18.9.5, or 18.8.9 without delay to safeguard their systems.
## Overview of High-Severity Vulnerabilities
The latest security release rectifies three significant vulnerabilities that pose substantial risks to GitLab environments:
– CVE-2026-5173 (CVSS 8.5): This flaw allows an authenticated attacker to execute unintended server-side commands via WebSocket connections due to inadequate access controls.
– CVE-2026-1092 (CVSS 7.5): An unauthenticated user can initiate a DoS attack by submitting improperly validated JSON data to the Terraform state lock API.
– CVE-2025-12664 (CVSS 7.5): Attackers without an account can cause a DoS condition by overwhelming the server with repeated GraphQL queries.
## Medium-Severity Vulnerabilities Addressed
In addition to the high-severity issues, GitLab has addressed several medium-level vulnerabilities that could compromise user safety and system stability:
– CVE-2026-1516 (CVSS 5.7): An authenticated user could inject malicious code into Code Quality reports, potentially leaking the IP addresses of other users who view the report.
– CVE-2026-1403 (CVSS 6.5): Weak validation of CSV files could allow authenticated users to crash background Sidekiq workers during file import.
– CVE-2026-4332 (CVSS 5.4): Poor input filtering in analytics dashboards could allow attackers to execute harmful JavaScript code in the browsers of other users.
– CVE-2026-1101 (CVSS 6.5): Inadequate input validation in GraphQL queries could allow an authenticated user to cause a DoS of the entire GitLab instance.
## Additional Security Patches
The update also includes several lower-severity patches that resolve data leaks and broken access controls:
– CVE-2026-2619 (CVSS 4.3): Incorrect authorization allowed authenticated users with auditor privileges to modify vulnerability flag data in private projects.
– CVE-2025-9484 (CVSS 4.3): An information disclosure bug allowed authenticated users to view other users’ email addresses through specific GraphQL queries.
– CVE-2026-1752 (CVSS 4.3): Improper access controls allowed developers to modify protected environment settings.
– CVE-2026-2104 (CVSS 4.3): Insufficient authorization checks in CSV exports allowed users to access confidential issues assigned to others.
– CVE-2026-4916 (CVSS 2.7): A missing authorization check allows users with custom roles to demote or remove higher-privileged group members.
## Recommendations for Administrators
GitLab emphasizes the importance of upgrading all self-managed installations to versions 18.10.3, 18.9.5, or 18.8.9 as soon as possible. These updates do not require complex database changes, allowing multi-node deployments to be upgraded without system downtime. Users hosted on GitLab.com or using GitLab Dedicated are already protected, as the company has applied the patches to its cloud servers.
## Conclusion
The prompt application of these security patches is crucial to protect GitLab instances from potential exploitation. Administrators should prioritize these updates to maintain the integrity and security of their systems.
