Do Son 
GitLab has released a sweeping security update for its Community (CE) and Enterprise (EE) editions, patching a high-severity vulnerability that could have allowed unauthenticated attackers to steal access tokens and infiltrate private repositories. The release, which includes versions 18.8.4, 18.7.4, and 18.6.6, addresses a total of 13 vulnerabilities, ranging from token theft to denial-of-service (DoS) attacks.
The most critical flaw in this batch is CVE-2025-7659, which carries a CVSS score of 8.0. This vulnerability stems from “incomplete validation” within GitLab’s Web IDE, a browser-based editor used by developers to commit changes.
“GitLab has remediated an issue that could have allowed an unauthenticated user to steal tokens and access private repositories by abusing incomplete validation in the Web IDE,” the report explains.
This means an attacker wouldn’t even need a valid login to exploit the system. By leveraging this validation gap, they could potentially harvest the credentials needed to access sensitive codebases, leading to a major data breach.
The update also squashes several bugs that could be used to crash GitLab instances.
- GraphQL Overload (CVE-2025-8099): An unauthenticated user could cause a DoS by “sending repeated GraphQL queries,” overwhelming the server (CVSS 7.5).
- JSON Exhaustion (CVE-2026-0958): Attackers could trigger “memory or CPU exhaustion by bypassing JSON validation middleware limits” (CVSS 7.5).
- Markdown Malice (CVE-2026-1456 & CVE-2026-1458): Two separate flaws allow attackers to cause CPU exhaustion by submitting “specially crafted markdown files” that trigger exponential processing loops.
Beyond simple crashes, the patch fixes trickier exploits involving code flow and HTML injection.
- CVE-2025-14560 (CVSS 7.3): A Cross-Site Scripting (XSS) issue in the “vulnerability code flow” could allow an authenticated user to “perform unauthorized actions on behalf of another user”.
- CVE-2026-0595 (CVSS 7.3): An HTML injection flaw in test case titles could let attackers “add unauthorized email addresses to user accounts”.
The wide range of affected versions—some dating back to GitLab 8.0—means that almost every unpatched instance is at risk. Administrators should prioritize upgrading to 18.8.4, 18.7.4, or 18.6.6 to secure their DevOps environments against these threats.
Related Posts:
- GitLab Releases Web IDE to easier inside of GitLab
- GitLab Releases Security Updates: XSS and Authorization Bypass Flaws Patched
- GitLab Patches High-Severity Flaws: Update Now to Prevent XSS and Account Takeover
- GitLab Releases Security Update to Patch XSS and Account Takeover Flaws
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
