GitLab Releases Critical Security Updates to Address XSS and DoS Vulnerabilities
GitLab has recently issued critical security updates for its Community Edition (CE) and Enterprise Edition (EE) to address multiple vulnerabilities, including severe Cross-Site Scripting (XSS) and Denial-of-Service (DoS) flaws. The newly released versions—18.9.2, 18.8.6, and 18.7.6—rectify a total of 15 security issues, underscoring the importance for administrators of self-managed instances to apply these patches promptly to safeguard their environments.
Key Vulnerabilities Addressed:
1. CVE-2026-1090: High-Severity XSS Vulnerability
– Description: This vulnerability resides in GitLab’s Markdown placeholder processing when the Markdown placeholders feature flag is enabled. An authenticated attacker can exploit this flaw to inject malicious JavaScript into a victim’s browser, potentially leading to unauthorized actions or session hijacking.
– CVSS Score: 8.7 (High)
2. CVE-2026-1069: DoS Vulnerability in GraphQL API
– Description: A flaw in the GraphQL API allows specially crafted requests to cause uncontrolled recursion and resource exhaustion, leading to a denial-of-service condition.
– CVSS Score: 7.5 (High)
3. CVE-2025-13929: DoS Vulnerability in Repository Archive Endpoint
– Description: Malicious requests sent to the repository archive endpoints can trigger a denial-of-service attack under specific conditions.
– CVSS Score: 7.5 (High)
4. CVE-2025-14513: DoS Vulnerability in Protected Branches API
– Description: Improper validation of JSON payloads in the protected branches API can be exploited to crash the service.
– CVSS Score: 7.5 (High)
5. CVE-2025-13690: DoS Risk in Webhook Custom Headers
– Description: A medium-severity issue where improper handling of webhook custom headers could lead to a denial-of-service condition.
– CVSS Score: 6.5 (Medium)
6. CVE-2025-12576: DoS Risk in Webhook Endpoint
– Description: Another medium-severity vulnerability involving the webhook endpoint that could be exploited to cause service disruption.
– CVSS Score: 6.5 (Medium)
Additional Fixes:
Beyond the high and medium-severity issues, this update resolves several low-severity bugs, including:
– CVE-2026-3848: Improper CRLF Sequences
– Description: Addresses improper handling of CRLF sequences that could be exploited in certain contexts.
– CVSS Score: 5.3 (Low)
– CVE-2025-12555: Access Control Issues in Runners API
– Description: Fixes access control issues in the runners API, which could have allowed unauthorized access to previous pipeline job information.
– CVSS Score: 5.3 (Low)
– Information Disclosure Bugs Affecting Confidential Issues
– Description: Remediates information disclosure bugs that could have exposed details of confidential issues.
– CVSS Score: 5.3 (Low)
Recommendations for Administrators:
To ensure continuous service and data protection, organizations must take immediate action:
– Update GitLab Installations: Upgrade all self-managed GitLab CE and EE installations to versions 18.9.2, 18.8.6, or 18.7.6.
– Downtime Considerations: Single-node instances will experience brief downtime during the upgrade as database migrations complete. Multi-node setups can utilize zero-downtime upgrade procedures.
– GitLab.com and GitLab Dedicated Users: Users on GitLab.com and GitLab Dedicated are already running the patched versions and require no administrative action.
Future Disclosures:
Detailed vulnerability reports will be made public on GitLab’s issue tracker 30 days after this patch release, providing transparency and further insights into the addressed issues.
Conclusion:
The prompt application of these security updates is crucial to protect GitLab environments from potential exploits. Administrators are urged to prioritize these updates to maintain the integrity and security of their systems.
