GitLab Patches Critical Web IDE Token Theft and DoS Vulnerabilities

GitLab released security patches for Community Edition (CE) and Enterprise Edition (EE) on February 10, 2026. Versions 18.8.4, 18.7.4, and 18.6.6 fix four high-severity flaws enabling token theft, server crashes, and XSS attacks. Self-managed instances must upgrade immediately.

CVE-2025-7659 (CVSS 8.0) tops the list. It hits the Web IDE with incomplete validation. Unauthenticated attackers steal private repository tokens. This grants full access to source code without logins.

BEST WINTER DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

Two DoS flaws threaten availability. CVE-2025-8099 (CVSS 7.5) crashes GraphQL via complex queries. CVE-2026-0958 (CVSS 7.5) exhausts resources by bypassing JSON checks.

CVE-2025-14560 (CVSS 7.3) enables XSS in Code Flow. Malicious scripts run in victims’ browsers. Attackers hijack sessions or steal data this way.

GitLab.com received fixes already. Self-hosted admins face brief downtime for migrations. Medium issues like SSRF got patched too.

Vulnerability Details Table

Attackers need no accounts for CVE-2025-7659. GraphQL abuse requires minimal setup. XSS spreads via shared views.

Patch Requirements

• Upgrade to 18.8.4, 18.7.4, or 18.6.6 immediately.
• Test single-node setups for migration downtime.
• Scan logs for exploit attempts post-upgrade.
• Review Web IDE access patterns.

Teams running older versions face highest risk. GitLab urges swift action before widespread scans begin.

FAQ