GitLab has released emergency security patches addressing 11 vulnerabilities across its Community Edition (CE) and Enterprise Edition (EE), including three high-severity flaws that could allow attackers to execute malicious code, forge requests, and steal user session tokens.
On April 22, 2026, GitLab released versions 18.11.1, 18.10.4, and 18.9.6 for both CE and EE deployments.
GitLab.com has already been updated automatically, and GitLab Dedicated customers require no action. However, all self-managed GitLab installations are strongly urged to upgrade immediately.
High-Severity Vulnerabilities
Three critical-risk flaws demand immediate attention:
- CVE-2026-4922 (CVSS 8.1) – A Cross-Site Request Forgery (CSRF) flaw in the GraphQL API that could allow an unauthenticated attacker to execute GraphQL mutations on behalf of authenticated users, effectively hijacking their session actions. This affects all GitLab versions from 17.0 before 18.9.6.
- CVE-2026-5816 (CVSS 8.0) – An improper path validation bug in the Web IDE asset that allows an unauthenticated user to execute arbitrary JavaScript inside a victim’s browser session, enabling full session hijacking. Affects versions from 18.10 before 18.10.4.
- CVE-2026-5262 (CVSS 8.0) – A Cross-Site Scripting (XSS) flaw in the Storybook development environment that could expose authentication tokens to unauthenticated users through improper input validation. Affects versions from 16.1 onward.
| CVE ID | Type | Severity | CVSS Score | Affected Versions |
|---|---|---|---|---|
| CVE-2026-4922 | CSRF – GraphQL API | High | 8.1 | 17.0 → 18.9.6 / 18.10.4 / 18.11.1 |
| CVE-2026-5816 | Path Equivalence – Web IDE | High | 8.0 | 18.10 → 18.10.4 / 18.11.1 |
| CVE-2026-5262 | XSS – Storybook | High | 8.0 | 16.1 → 18.9.6 / 18.10.4 / 18.11.1 |
| CVE-2025-0186 | DoS – Discussions Endpoint | Medium | 6.5 | 10.6 → 18.9.6 / 18.10.4 / 18.11.1 |
| CVE-2026-1660 | DoS – Jira Import | Medium | 6.5 | 12.3 → 18.9.6 / 18.10.4 / 18.11.1 |
| CVE-2025-6016 | DoS – Notes Endpoint | Medium | 6.5 | 9.2 → 18.9.6 / 18.10.4 / 18.11.1 |
| CVE-2025-3922 | DoS – GraphQL API | Medium | 6.5 | 12.4 → 18.9.6 / 18.10.4 / 18.11.1 |
| CVE-2026-6515 | Session Expiration – Virtual Registry | Medium | 5.4 | 18.2 → 18.9.6 / 18.10.4 / 18.11.1 |
| CVE-2026-5377 | Access Control – Issue Renderer | Medium | 4.3 | 18.11 → 18.11.1 |
| CVE-2026-3254 | UI Restriction – Mermaid Sandbox | Low | 3.5 | 18.11 → 18.11.1 |
| CVE-2025-9957 | Access Control – Fork API | Low | 2.7 | 11.2 → 18.9.6 / 18.10.4 / 18.11.1 |
Four medium-severity Denial-of-Service (DoS) flaws were also patched. CVE-2025-0186, CVE-2025-6016, and CVE-2025-3922 all carry a CVSS score of 6.5 and could be exploited by authenticated users to exhaust server resources through crafted requests to the discussions endpoint, notes endpoint, and GraphQL API respectively.
CVE-2026-1660 similarly allows authenticated users to trigger DoS during Jira issue imports via improper input validation.
Beyond DoS, GitLab patched a medium-severity Insufficient Session Expiration bug (CVE-2026-6515, CVSS 5.4) where invalidated or incorrectly scoped credentials could still be used to access Virtual Registries, discovered internally by GitLab team member David Fernandez.
Two additional access control flaws (CVE-2026-5377 and CVE-2025-9957) allowed authenticated users to view confidential issue titles and bypass group fork-prevention policies respectively.
GitLab strongly recommends that all self-managed administrators upgrade to one of the patched versions, 18.11.1, 18.10.4, or 18.9.6, without delay.
Most vulnerabilities were responsibly disclosed via GitLab’s HackerOne bug bounty program by researchers including ahacker1, joaxcar, and pwnie. Security advisories for each flaw will be made public on GitLab’s issue tracker 30 days after the patch release date.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
