GitLab has released patch versions 19.0.1, 18.11.4, and 18.10.7 to fix seven security issues affecting GitLab CE and EE, including Duo AI workflow runner access control, a Wiki denial-of-service flaw, and several authorization bugs across GraphQL, Duo Workflows, Operations, Pipelines, and authentication endpoints.
The company says self-managed installations should upgrade immediately. At the same time, GitLab.com is already patched, and GitLab Dedicated customers do not need to take any action.
The release is important because the flaws affect both newer and older supported branches, and some issues could expose private project data or allow lower-privileged users to bypass access controls.
GitLab also notes that these patch releases do not include new migrations and should not require downtime for multi-node deployments.
GitLab Patches Multiple Vulnerabilities
The highest-severity issue is CVE-2026-4868, which affects GitLab EE and has a CVSS score of 8.2. It could allow an authenticated user to trigger Duo AI workflows under another user’s identity due to improper user identity resolution.
| CVE | Issue | Impacted products | Affected versions | CVSS |
|---|---|---|---|---|
| CVE-2026-4868 | Improper Access Control in Duo AI workflow runners | GitLab EE | 18.8 before 18.10.7, 18.11 before 18.11.4, 19.0 before 19.0.1 | 8.2 |
| CVE-2026-1402 | Denial of Service in Wiki | GitLab CE/EE | 17.1 before 18.10.7, 18.11 before 18.11.4, 19.0 before 19.0.1 | 6.5 |
| CVE-2026-6713 | Incorrect Authorization in GraphQL WorkItem API | GitLab CE/EE | 18.2 before 18.10.7, 18.11 before 18.11.4, 19.0 before 19.0.1 | 5.3 |
| CVE-2026-5296 | Improper Authorization in Duo Workflows API | GitLab EE | 18.7 before 18.10.7, 18.11 before 18.11.4, 19.0 before 19.0.1 | 4.3 |
| CVE-2026-2601 | Missing Authorization in Operations | GitLab EE | 11.5 before 18.10.7, 18.11 before 18.11.4, 19.0 before 19.0.1 | 4.3 |
| CVE-2026-8716 | Incorrect Name Resolution in Pipelines | GitLab CE/EE | 12.7 before 18.10.7, 18.11 before 18.11.4, 19.0 before 19.0.1 | 4.3 |
| CVE-2026-2710 | Incorrect Authorization in authentication endpoints | GitLab CE/EE | 18.9 before 18.10.7, 18.11 before 18.11.4, 19.0 before 19.0.1 | 4.3 |
The remaining issues are medium severity, but several still matter operationally because they involve unauthorized data exposure, permission bypass, or service disruption.
Security teams should prioritize upgrading any affected self-managed GitLab instance to 19.0.1, 18.11.4, or 18.10.7 as soon as possible. Because the vulnerabilities span identity handling, authorization checks, and service availability, they should also review access logs, privileged workflow use, and any unusual Wiki or CI activity after patching.
For environments that rely on Duo AI or Duo Workflows, the authorization fixes warrant extra attention because they affect features developers and automation systems may use.
GitLab says these patches were released on May 27, 2026, and users can expect regular patch releases twice a month on the second and fourth Wednesdays.
In practical terms, this release is a reminder that even mature DevOps platforms can accumulate risk across AI features, APIs, CI pipelines, and access-control layers simultaneously.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
