GitLab patches 15 security flaws in new CE and EE update

Home » News
Yash Shield
News
Reading time icon 4 min. read

Calendar icon Published on

GitLab has released security updates for Community Edition and Enterprise Edition, fixing 15 vulnerabilities in versions 18.9.2, 18.8.6, and 18.7.6. The company says self-managed administrators should upgrade as soon as possible, while GitLab.com and GitLab Dedicated already run the patched code.

The most severe issue in this release is CVE-2026-1090, a high-severity cross-site scripting flaw with a CVSS score of 8.7. GitLab says the bug affects Markdown placeholder processing when the Markdown placeholders feature flag is enabled, and it could allow an authenticated attacker to inject malicious JavaScript into a victim’s browser.

The update also fixes several denial-of-service bugs, including three high-severity issues with CVSS 7.5 scores. GitLab says one affects the GraphQL API through uncontrolled recursion, another hits repository archive endpoints, and a third impacts the protected branches API through specially crafted JSON payloads.

This makes the March 2026 GitLab release important for both security and uptime. Some of the flaws can let attackers crash exposed services without authentication, while others could enable browser-based attacks or unauthorized data access under specific conditions.

What GitLab fixed

CVESeverityComponentGitLab description
CVE-2026-1090High 8.7Markdown placeholdersXSS issue
CVE-2026-1069High 7.5GraphQL APIDoS via uncontrolled recursion
CVE-2025-13929High 7.5Repository archive endpointsDoS via specially crafted requests
CVE-2025-14513High 7.5Protected branches APIDoS via specially crafted JSON payloads
CVE-2025-13690Medium 6.5Webhook custom headersDoS
CVE-2025-12576Medium 6.5Webhook endpointDoS

Source: GitLab patch release advisory.

Key details from the advisory

GitLab says CVE-2026-1090 affects all versions from 10.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2. The company credits the report to a HackerOne researcher and notes that the flaw only applies when the Markdown placeholders feature flag is enabled.

For the API and service availability bugs, GitLab says CVE-2026-1069 can allow an unauthenticated user to trigger denial of service with specially crafted GraphQL requests, CVE-2025-13929 can hit repository archive endpoints, and CVE-2025-14513 affects the protected branches API. All three carry the same 7.5 CVSS rating in GitLab’s bulletin.

The release also fixes several lower-severity issues beyond XSS and DoS. These include CRLF-related internal request risks in import functionality, improper access control in the runners API, metadata disclosure through snippet rendering, confidential issue title disclosure, and an authorization issue in GitLab EE’s Virtual Registry.

What admins should do now

  • Upgrade self-managed GitLab CE or EE instances to 18.9.2, 18.8.6, or 18.7.6.
  • Expect regular migrations during upgrades to 18.9.2 and 18.8.6.
  • Use GitLab’s zero-downtime upgrade guidance for multi-node deployments.
  • Use standard upgrade guidance for single-node installations, which may see brief downtime.
  • No action is needed for GitLab.com and GitLab Dedicated users because GitLab says those services are already patched.

Why this release stands out

This is not just a minor maintenance update. GitLab bundled a relatively large set of fixes into one patch release, and the mix includes browser-side XSS, unauthenticated service disruption risks, and data exposure issues. For organizations that run self-managed GitLab as a core development platform, delays in patching could affect both security and developer productivity.

The advisory also shows how broad GitLab’s affected version ranges can be. Several flaws reach far back across many release lines, which means older self-managed deployments may remain exposed until admins install one of the patched versions.

FAQ

What versions fix the vulnerabilities?

GitLab says the patched releases are 18.9.2, 18.8.6, and 18.7.6 for both CE and EE.

What is the most serious bug in this update?

GitLab lists CVE-2026-1090 as the highest-severity issue, with a CVSS score of 8.7. It is an XSS flaw in Markdown placeholder processing.

Can unauthenticated attackers exploit any of the DoS bugs?

Yes. GitLab says the GraphQL API, repository archive endpoint, and protected branches API flaws could be abused by unauthenticated attackers under certain conditions.

Do GitLab.com users need to patch anything manually?

No. GitLab says GitLab.com and GitLab Dedicated already run the fixed versions.

Will the upgrade cause downtime?

GitLab says 18.9.2 and 18.8.6 include regular migrations. Multi-node deployments can use zero-downtime procedures, while single-node installs may see brief downtime.

Yash

Yash Shield

I am a Business Analytics student with a strong interest in publishing well-researched and data-driven news articles. I focus on analyzing trends in business, finance, and technology to create clear, accurate, and engaging content for readers. I enjoy transforming complex data and information into simple, meaningful stories that help audiences understand current developments. With analytical thinking and attention to detail, I aim to deliver credible and insightful news that adds real value to readers.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages