GitLab has rolled out a major security update to address a series of vulnerabilities impacting both its Community Edition (CE) and Enterprise Edition (EE) platforms. The GitLab security update resolves multiple flaws, including high-severity issues that could be exploited to disrupt services or gain unintended access to system functionality.
This update is particularly critical for organizations operating in self-managed GitLab environments, where administrators are responsible for applying patches and maintaining system security.
Delaying the deployment of this GitLab security update could leave systems exposed to known threats, including the actively addressed CVE-2026-5173 vulnerability. The patch release not only strengthens access controls but also mitigates risks tied to denial-of-service attacks, data exposure, and improper authorization checks.
As a result, GitLab is strongly urging all affected users to upgrade to the latest versions immediately to ensure their environments remain protected against potential exploitation.
Critical GitLab Security Update Targets High-Severity Flaws
GitLab security update covers a high-severity vulnerability tracked as CVE-2026-5173, which impacts websocket connections. This flaw could allow an authenticated attacker to bypass access controls and invoke unintended server-side methods. With a CVSS score of 8.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N), the issue represents a serious risk to affected environments.
The vulnerability was discovered internally by GitLab team member Simon Tomlinson. It affects GitLab CE/EE versions from 16.9.6 prior to 18.8.9, version 18.9 before 18.9.5, and version 18.10 before 18.10.3. The latest security patch resolves this issue along with several others.
Patch Releases and Affected Versions
The GitLab security update includes patched versions 18.10.3, 18.9.5, and 18.8.9. According to the official release statement:
“Today, we are releasing versions 18.10.3, 18.9.5, 18.8.9 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately.”
GitLab confirmed that users of GitLab.com and GitLab Dedicated services are already protected and do not need to take action.
Twelve Vulnerabilities Addressed
This GitLab security update resolves a total of twelve vulnerabilities, ranging from high to low severity. Alongside CVE-2026-5173, several denial-of-service (DoS) vulnerabilities were identified:
- CVE-2026-1092: A DoS issue in the Terraform state lock API caused by improper JSON validation (CVSS 7.5).
- CVE-2025-12664: A DoS vulnerability in the GraphQL API that could be triggered through repeated queries (CVSS 7.5).
- CVE-2026-1403: A CSV import flaw allowing authenticated users to disrupt Sidekiq workers (CVSS 6.5).
- CVE-2026-1101: A GraphQL SBOM API issue affecting GitLab EE, also enabling DoS attacks (CVSS 6.5).
In addition to these, multiple medium-severity flaws were patched:
- CVE-2026-1516: A code injection issue in Code Quality reports that could expose user IP addresses (CVSS 5.7).
- CVE-2026-4332: A cross-site scripting vulnerability in analytics dashboards (CVSS 5.4).
- CVE-2026-2619: Incorrect authorization in the vulnerability flags AI detection API (CVSS 4.3).
- CVE-2025-9484: Information disclosure via GraphQL queries (CVSS 4.3).
- CVE-2026-1752: Improper access control in the Environments API (CVSS 4.3).
- CVE-2026-2104: Information disclosure through CSV export (CVSS 4.3).
A low-severity issue, CVE-2026-4916, was also addressed, involving missing authorization checks in custom role permissions (CVSS 2.7).
Many of these vulnerabilities were reported through GitLab’s HackerOne bug bounty program, highlighting contributions from researchers such as a92847865, foxribeye, sim4n6, maksyche, go7f0, and others.
Bug Fixes and Stability Improvements
Beyond security fixes, the update also includes a wide range of bug fixes across all three versions. These improvements address issues such as failed Git operations for deploy keys on Geo sites, performance optimizations in migration helpers, and compatibility fixes for Amazon Linux 2023.
Other fixes include resolving flaky test cases, improving dependency proxy access, and addressing regressions in project archiving and deletion workflows. These updates aim to enhance overall platform stability alongside the security patch.
Upgrade Guidance and Deployment Notes
GitLab emphasized that no new migrations are included in these releases, meaning multi-node deployments should not require downtime. However, by default, Omnibus packages will stop services, run migrations, and restart during upgrades unless configured otherwise via the /etc/gitlab/skip-auto-reconfigure file.
The company also noted that certain package builds, such as SLES 12.5 for versions 18.10.3 and 18.9.5, are not included in this release. Additionally, GitLab confirmed that version numbers 18.10.2, 18.9.4, and 18.8.8 were skipped, with no patches issued under those versions.
