GitLab has released urgent security updates for its Community Edition (CE) and Enterprise Edition (EE) to address a wide range of vulnerabilities.
The newly released versions 18.9.2, 18.8.6, and 18.7.6 fix a total of 15 security issues, including critical Cross-Site Scripting (XSS) and Denial-of-Service (DoS) flaws.
Administrators of self-managed instances are strongly urged to apply these patches immediately to maintain good security hygiene and protect their environments.
GitLab Vulnerabilities Patched
The most critical issue addressed in this release is CVE-2026-1090, a high-severity XSS vulnerability with a CVSS score of 8.7.
This flaw exists in GitLab’s Markdown placeholder processing when the Markdown placeholders feature flag is enabled.
An authenticated attacker can bypass proper sanitization checks to inject malicious JavaScript into a victim’s browser, potentially leading to unauthorized actions or session hijacking.
Additionally, GitLab patched three high-severity DoS vulnerabilities that could allow unauthenticated attackers to disrupt critical services.
A flaw in the GraphQL API allows specially crafted requests to cause uncontrolled recursion and resource exhaustion. Malicious requests sent to the repository archive endpoints can also trigger a denial-of-service attack under specific conditions.
Furthermore, improper validation of JSON payloads in the protected branches API can be easily exploited to crash the service. Beyond the high-severity issues, this update resolves several medium and low-severity bugs.
Notable fixes include addressing DoS risks in webhook custom headers (CVE-2025-13690) and webhook endpoints (CVE-2025-12576).
The patch also neutralizes improper CRLF sequences (CVE-2026-3848) and fixes access control issues in the runners API (CVE-2025-12555), which could have allowed unauthorized access to previous pipeline job information.
Information disclosure bugs affecting confidential issues were also successfully remediated. The security update addresses several specific CVEs that administrators should track.
CVE-2026-1090 is a high-severity cross-site scripting flaw in Markdown placeholder processing with a CVSS score of 8.7.
There are also three high-severity denial-of-service vulnerabilities, each with a CVSS score of 7.5: CVE-2026-1069 affects the GraphQL API, CVE-2025-13929 impacts the repository archive endpoint, and CVE-2025-14513 targets the protected branches API.
Furthermore, the patch resolves two medium-severity denial-of-service issues, both scoring 6.5 on the CVSS scale, involving webhook custom headers (CVE-2025-13690) and the webhook endpoint (CVE-2025-12576).
To ensure continuous service and data protection, organizations must take immediate action. Update all self-managed GitLab CE and EE installations to versions 18.9.2, 18.8.6, or 18.7.6.
Single-node instances will experience brief downtime during the upgrade as database migrations complete. In contrast, multi-node setups can utilize zero-downtime upgrade procedures.
Users on GitLab.com and GitLab Dedicated are already running the patched versions and require no administrative action. Detailed vulnerability reports will be made public on GitLab’s issue tracker 30 days after this patch release.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
