CVE-2026-1868: Critical GitLab Gateway Flaw (CVSS 9.9) Allows RCE

GitLab has issued an urgent security alert for organizations running self-hosted versions of its AI Gateway, warning of a critical vulnerability that could allow attackers to crash services or execute arbitrary code. The flaw, tracked as CVE-2026-1868, carries a near-maximum CVSS score of 9.9, signaling immediate danger for unpatched instances.

The vulnerability strikes at the core of the Duo Workflow Service, a component designed to streamline development tasks using AI. However, an oversight in how the system handles user templates has turned this productivity tool into a potential entry point for hackers.

The issue is described as an “Insecure Template expansion issue impacts GitLab AI Gateway”. Essentially, the system fails to properly sanitize data when processing “crafted Duo Agent Platform Flow definitions” supplied by a user.

While the attack requires the adversary to have “authenticated access to the GitLab instance,” the potential fallout is critical. A successful exploit could allow an attacker to trigger a “Denial of Service” to take the gateway offline, or far worse, “gain code execution on the Gateway” itself.

This means a logged-in user—perhaps a compromised developer account or a malicious insider—could theoretically break out of the application’s bounds and run commands on the underlying server.

The vulnerability was not found by an external researcher but was discovered internally by GitLab team member Joern.

The vulnerability affects a specific range of self-hosted AI Gateway versions. If you are running GitLab AI Gateway versions starting from 18.1.6, 18.2.6, and 18.3.1 that are older than the fixed releases, you are vulnerable.

GitLab has released three patched versions to cover different release tracks. Administrators are strongly recommended to upgrade immediately to:

• 18.6.2
• 18.7.1
• 18.8.1

“We strongly recommend that all Self Managed customers with GitLab Duo Self-Hosted installations update to one of these versions immediately,” the advisory warns.

Related Posts:

• GitLab Releases Security Updates: XSS and Authorization Bypass Flaws Patched
• Developers move to GitLab after GitHub was acquired by Microsoft
• GitLab Patches High-Severity Flaws: Update Now to Prevent XSS and Account Takeover