Code Red: GitLab’s Latest Security Update Patches High-Severity XSS and API DoS Vulnerabilities
Do Son 
GitLab has released critical security updates—versions 18.9.2, 18.8.6, and 18.7.6—for both Community Edition (CE) and Enterprise Edition (EE). This emergency patch addresses several high-severity flaws that could lead to account compromise, service disruption, and unauthorized data manipulation.
The release is headlined by four high-severity vulnerabilities that pose a significant risk to unpatched environments:
- CVE-2026-1090 (CVSS 8.7): A Cross-site Scripting (XSS) issue exists in the processing of Markdown placeholders. If exploited, this could allow an attacker to execute malicious scripts in the context of another user’s session.
- CVE-2026-1069 (CVSS 7.5): The GraphQL API is susceptible to a Denial of Service attack. Attackers could leverage this to overwhelm the API, effectively crashing the service for all users.
- CVE-2025-13929 (CVSS 7.5): A separate DoS vulnerability was identified in the repository archive endpoint. This could be used to prevent users from downloading or archiving project code.
- CVE-2025-14513 (CVSS 7.5): The API responsible for managing protected branches—a critical security feature for code integrity—is also vulnerable to a Denial of Service issue.
While the focus remains on the high-severity threats, GitLab’s security team also remediated several medium and low-risk vulnerabilities to harden the platform’s overall posture:
- Webhook Vulnerabilities: Two separate Denial of Service issues were patched in webhook custom headers and webhook endpoints.
- Access Control & Authorization: The update fixes improper access control in the runners API and snippet rendering, as well as a missing authorization issue in Group Import.
- Information Disclosure: A flaw that allowed the disclosure of information in inaccessible issues was addressed.
- Data Integrity & Credentials: Fixes were implemented for a Datadog integration issue that could reveal API credentials and a branch reference validation bug that caused downloads to contain incorrect code.
- Virtual Registry Leak: An improper authorization issue in the Virtual Registry for GitLab EE was resolved, which previously allowed users to access data in groups where they were not members.
“We strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately,” the company stated in its official security bulletin.
Administrators should verify their current version and transition to 18.9.2, 18.8.6, or 18.7.6 to mitigate these risks.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
