GitLab has rolled out critical security updates to address multiple high-severity vulnerabilities affecting both Community Edition (CE) and Enterprise Edition (EE). The company has released patched versions 18.10.3, 18.9.5, and 18.8.9, and is strongly urging administrators of self-managed installations to upgrade immediately.
The latest update fixes three major vulnerabilities that could seriously impact GitLab servers if left unpatched.
One of the most critical issues, tracked as CVE-2026-5173 with a CVSS score of 8.5, could allow an authenticated attacker to execute unintended server-side commands. This flaw is linked to improper access control in WebSocket connections, which are commonly used for real-time features.
Another vulnerability, CVE-2026-1092 (CVSS 7.5), allows unauthenticated attackers to trigger a Denial-of-Service attack. This can be done by sending malformed JSON data to the Terraform state lock API.
A third issue, CVE-2025-12664 (CVSS 7.5), can also result in a DoS attack. In this case, attackers can overwhelm the server by repeatedly sending GraphQL queries, eventually
GitLab has also patched a number of medium-severity vulnerabilities that could impact both security and stability.
One notable issue could allow attackers to inject malicious code into Code Quality reports. This could potentially expose the IP addresses of users viewing those reports. Another flaw involves weak CSV validation, which could crash background workers during file imports. There are also issues related to improper input filtering in analytics dashboards, which could lead to the execution of harmful JavaScript in user browsers.
Additionally, a GraphQL-related vulnerability could allow authenticated users to trigger a DoS condition across the entire instance.
Along with major fixes, the update also addresses several lower-severity vulnerabilities. These include issues where users could access email addresses of other users, modify protected environment settings, or view confidential project data due to weak access controls.
While these bugs are less severe individually, they can still pose risks in large deployments or enterprise environments.
GitLab has confirmed that these updates do not require complex database migrations. This means even multi-node deployments can be upgraded without downtime. Users on GitLab’s cloud services, including GitLab.com and GitLab Dedicated, are already protected. The company has applied all necessary fixes on its hosted infrastructure.
GitLab is widely used for source code management, CI/CD pipelines, and DevOps workflows. Any vulnerability in such a platform can have serious consequences, especially for organizations handling sensitive code and infrastructure.
The presence of both authenticated and unauthenticated attack vectors makes this update even more critical.
This is a serious security update, and it should not be ignored. The good part is that GitLab has acted quickly and made the upgrade process simple. No downtime means there is really no excuse to delay the update.
