GitLab patches multiple vulnerabilities that enable DoS and code injection attacks

]GitLab has released security updates for Community Edition and Enterprise Edition to fix multiple vulnerabilities, including bugs that could let attackers trigger denial of service conditions or abuse server-side functionality. The patched versions are 18.10.3, 18.9.5, and 18.8.9, and GitLab says self-managed administrators should upgrade as soon as possible.

The most serious issue in this batch is CVE-2026-5173, a high-severity flaw that could allow an authenticated attacker to invoke unintended server-side methods through WebSocket connections because of improper access control. GitLab assigned it a CVSS score of 8.5.

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

Two other high-severity bugs also stand out. CVE-2026-1092 could let an unauthenticated user cause a denial of service through improper JSON validation in the Terraform state lock API, while CVE-2025-12664 could let an unauthenticated attacker trigger denial of service with repeated GraphQL queries. GitLab rated both at CVSS 7.5.

What GitLab fixed in this release

Beyond the three high-severity issues, GitLab also fixed several medium-severity flaws that affect both stability and user safety. These include a code injection issue in Code Quality reports tracked as CVE-2026-1516, a CSV import bug that could crash Sidekiq workers tracked as CVE-2026-1403, and a GraphQL SBOM API denial of service issue tracked as CVE-2026-1101.

GitLab also patched CVE-2026-4332, a cross-site scripting bug in customizable analytics dashboards that could allow an authenticated user to execute JavaScript in another user’s browser. On top of that, the company fixed several authorization and information disclosure problems affecting auditors, developers, CSV exports, GraphQL queries, and custom role permissions.

The affected version ranges are broad in some cases. For example, GitLab says CVE-2026-1092 affects CE and EE versions from 12.10 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3, while CVE-2025-12664 affects versions from 13.0 before the fixed releases.

Why admins should treat this as urgent

These bugs matter because several of them do not require a valid account. An unauthenticated denial of service path can disrupt GitLab availability, which can affect code hosting, CI/CD workflows, issue tracking, and developer productivity across an entire organization.

The WebSocket issue raises a different kind of risk. CVE-2026-5173 needs authentication, but it could let an attacker reach unintended server-side methods, which moves the issue beyond a simple crash bug and into a more serious server-side abuse scenario.

GitLab says GitLab.com and GitLab Dedicated are already protected because the company applied the fixes to its hosted services. The urgent action applies mainly to self-managed deployments that still run affected versions.

GitLab vulnerabilities at a glance

What self-managed GitLab admins should do now

• Upgrade to GitLab 18.10.3, 18.9.5, or 18.8.9 immediately.
• Review exposure of Terraform state lock API, GraphQL endpoints, WebSocket features, CSV import, and analytics dashboards.
• Prioritize internet-facing instances first, especially those that allow unauthenticated access to affected endpoints.
• Check internal monitoring for unusual spikes in GraphQL traffic, malformed JSON requests, and suspicious WebSocket activity. This is a practical inference from the affected components GitLab identified.
• Confirm whether your instance runs CE or EE, since some medium-severity issues affect EE only.

FAQ