GitLab has released emergency security patches for multiple versions of its platform, addressing eight vulnerabilities that could enable arbitrary code execution and unauthorized access in self-managed installations.
The updated versions 18.7.1, 18.6.3, and 18.5.5 were deployed to GitLab.com on January 7, 2026, with self-hosted customers strongly advised to upgrade immediately.
The most severe vulnerability, CVE-2025-9222, affects GitLab Community and Enterprise Editions and has a CVSS score of 8.7.
This stored cross-site scripting (XSS) flaw in GitLab Flavored Markdown placeholders could allow authenticated attackers to execute malicious code within victims’ browsers.
Impacted versions span from 18.2.2 through 18.7.0, affecting a broad range of deployments. A second high-severity issue, CVE-2025-13761, affects the Web IDE component and carries a CVSS score of 8.0.
This flaw allows attackers to execute malicious code by luring logged-in users to malicious web pages, which can hijack sessions and lead to unauthorized access to repositories.
Enterprise Edition customers face additional risks from CVE-2025-13772, a missing authorization bug in the Duo Workflows API that allows authenticated users to access AI model settings from unauthorized namespaces.
Discovered internally by GitLab engineer Jessie Young, this flaw carries a CVSS score of 7.1.
Additional Vulnerabilities and Impact
The security update also addresses medium-severity issues, including denial-of-service vulnerabilities in import functionality (CVE-2025-10569).
Insufficient access controls in GraphQL mutations that could allow unauthorized runner modifications (CVE-2025-11246).
A low-severity information disclosure bug in Mermaid diagram rendering (CVE-2025-3950) completes the patch set.
GitLab’s security team emphasizes that all deployment types, Omnibus packages, source code installations, and Helm charts require immediate updating.
Single-node instances will experience downtime during upgrades due to mandatory database migrations. At the same time, multi-node deployments can achieve zero-downtime updates following proper procedures.
The vulnerabilities were reported via GitLab’s HackerOne bug bounty program, with researcher yvvdwf credited with discovering the critical XSS flaw.
GitLab maintains a 30-day disclosure policy, under which detailed issue reports become public on its tracker after the patch release.
Self-managed GitLab administrators should consult the official update documentation and subscribe to GitLab’s security release RSS feed for future patch notifications.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
