Security Alert: GitLab Issues Patch for High-Severity Vulnerabilities Across CE and EE

GitLab has released critical security updates for Community Edition (CE) and Enterprise Edition (EE). Versions 18.10.3, 18.9.5, and 18.8.9 address multiple high and medium-severity flaws that could compromise code integrity and server stability.

GitLab “strongly recommends that all self-managed GitLab installations be upgraded to one of these versions immediately” to prevent potential exploitation.

The patch addresses three High severity vulnerabilities that pose a direct threat to GitLab instances:

• Exposed Method in WebSocket Connections (CVE-2026-5173): This flaw impacts both CE and EE versions, potentially allowing unauthorized interactions through the platform’s real-time communication channels.
• Terraform State Lock API DoS (CVE-2026-1092): A vulnerability that could allow an attacker to disrupt infrastructure-as-code workflows by overwhelming the Terraform state lock mechanism.
• GraphQL API DoS (CVE-2025-12664): Attackers could cause a denial-of-service state by sending malformed or resource-intensive queries to the GraphQL API.

The update also clears a significant number of Medium severity issues that target specific Enterprise features and data privacy:

• Code Quality Report Injection (CVE-2026-1516): A code injection issue was found in Code Quality reports, which could allow malicious code to be executed within the context of the GitLab runner or interface.
• Confidential Issue Leakage (CVE-2026-2104): An authenticated user could have “access confidential issues assigned to other users via CSV export” due to insufficient authorization checks.
• Protected Environment Tampering (CVE-2026-1752): An improper access control flaw in the Environments API allowed users to “modify protected environment settings” without proper authorization.
• Privilege Demotion (CVE-2026-4916): A missing authorization issue in custom roles could have allowed an authenticated user to “demote or remove higher-privileged group members”.

To secure your environment, ensure your installation is upgraded to 18.10.3, 18.9.5, or 18.8.9 as soon as possible. Detailed upgrade instructions can be found on the official GitLab documentation site.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Do Son

Do Son (aka Ddos) is a seasoned news reporter, bringing over a decade of expertise to the forefront of cyber security and technology reporting. My work provides timely and insightful analysis of emerging trends and critical developments in these rapidly evolving sectors.