GitLab Issues Emergency Patches for 11 Vulnerabilities

GitLab has issued an urgent security advisory following the discovery of 11 distinct vulnerabilities affecting both its Community Edition (CE) and Enterprise Edition (EE). The security sweep includes three high-severity flaws that pose a direct threat to system integrity, potentially granting attackers the ability to execute remote code, manipulate user requests, and compromise session tokens.

To mitigate these risks, GitLab released emergency updates on April 22, 2026. Administrators should immediately transition to versions 18.11.1, 18.10.4, or 18.9.6 depending on their current release branch.

Deployment Status: While GitLab.com (SaaS) users have been automatically patched and GitLab Dedicated customers remain unaffected, all self-managed installations are at risk and require immediate manual intervention to secure their environments.

Deep Dive: High-Severity Vulnerabilities

The most pressing concerns involve vulnerabilities that bypass standard authentication or execution boundaries. Our technical breakdown of these critical flaws follows:

  • CVE-2026-4922 (CVSS 8.1) | GraphQL CSRF: A significant Cross-Site Request Forgery (CSRF) flaw was identified within the GraphQL API. This vulnerability allows an unauthenticated attacker to trick an authenticated user into executing unauthorized GraphQL mutations. Essentially, an attacker can hijack a user’s session to perform actions that the user never intended, impacting all versions from 17.0 up to the current patched state.
  • CVE-2026-5816 (CVSS 8.0) | Web IDE Path Validation: This flaw stems from improper path validation within the Web IDE asset. An unauthenticated attacker can exploit this to execute arbitrary JavaScript within the context of a victim’s browser session. This is a textbook case of session hijacking via client-side execution.
  • CVE-2026-5262 (CVSS 8.0) | Storybook XSS: A Cross-Site Scripting (XSS) vulnerability was uncovered in the Storybook development environment. Due to insufficient input validation, unauthenticated users may be able to extract sensitive authentication tokens, leading to full account compromise.
CVE ID Vulnerability Type Severity CVSS Affected Versions
CVE-2026-4922 CSRF (GraphQL API) High 8.1 17.0 → 18.9.5
CVE-2026-5816 Path Equivalence (Web IDE) High 8.0 18.10 → 18.10.3
CVE-2026-5262 XSS (Storybook) High 8.0 16.1 → 18.9.5
CVE-2025-0186 DoS (Discussions) Medium 6.5 10.6 → 18.9.5
CVE-2026-1660 DoS (Jira Import) Medium 6.5 12.3 → 18.9.5
CVE-2025-6016 DoS (Notes Endpoint) Medium 6.5 9.2 → 18.9.5
CVE-2025-3922 DoS (GraphQL API) Medium 6.5 12.4 → 18.9.5
CVE-2026-6515 Session Expiration Medium 5.4 18.2 → 18.9.5
CVE-2026-5377 Access Control Medium 4.3 18.11 → 18.11.0
CVE-2026-3254 UI Restriction Low 3.5 18.11 → 18.11.0
CVE-2025-9957 Access Control Low 2.7 11.2 → 18.9.5

Secondary Vulnerabilities: DoS and Access Control

Beyond the critical exploits, GitLab has addressed several medium and low-severity issues that could impact service availability and data privacy:

Denial-of-Service (DoS) Vectors: A cluster of medium-severity flaws (CVE-2025-0186, CVE-2025-6016, and CVE-2025-3922) allows authenticated users to exhaust server resources by sending specifically crafted requests to the discussions, notes, and GraphQL endpoints. Additionally, CVE-2026-1660 permits authenticated users to trigger a DoS via the Jira issue import process through improper input validation.

Logic and Session Flaws:

  • CVE-2026-6515 (CVSS 5.4): Discovered by GitLab researcher David Fernandez, this “Insufficient Session Expiration” bug allowed invalidated or improperly scoped credentials to maintain access to Virtual Registries.
  • Access Control: CVE-2026-5377 allowed unauthorized viewing of confidential issue titles, while CVE-2025-9957 enabled a bypass of group fork-prevention policies.

Immediate Remediation Steps

If you are managing a self-hosted GitLab instance, do not delay. Your priority should be upgrading to the latest stable patch within your current release train:

  • If on 18.11.x → Upgrade to 18.11.1
  • If on 18.10.x → Upgrade to 18.10.4
  • If on 18.9.x → Upgrade to 18.9.6

Acknowledgement to the security researchers—including ahacker1, joaxcar, and pwnie—who identified these flaws through GitLab’s HackerOne bug bounty program. In accordance with responsible disclosure practices, full security advisories will be released on GitLab’s issue tracker 30 days after this patch release.

Related Articles

Back to top button
tcVfPVpdv