GitLab Security Update: High-Severity Vulnerabilities Patched in April Release
Do Son 
GitLab has released a vital set of security updates for both Community Edition (CE) and Enterprise Edition (EE) to address a range of vulnerabilities, including high-severity flaws that could allow unauthenticated attackers to hijack user sessions or execute unauthorized actions.
The release, announced on April 22, 2026, impacts versions 18.11.1, 18.10.4, and 18.9.6. GitLab strongly recommends that all self-managed installations be upgraded “immediately” to mitigate these risks.
The most significant issues in this patch cycle involve vulnerabilities that bypass standard browser protections, potentially exposing users to account takeover or data theft.
- GraphQL API CSRF (CVE-2026-4922): A high-severity Cross-Site Request Forgery (CSRF) flaw was discovered in the GraphQL API. This issue could allow an unauthenticated user to “execute GraphQL mutations on behalf of authenticated users” due to insufficient protection.
- Web IDE Arbitrary JavaScript (CVE-2026-5816): An improper resolution of path equivalence in the Web IDE asset could allow an unauthenticated attacker to “execute arbitrary JavaScript in a user’s browser session”.
- Storybook Token Access (CVE-2026-5262): Vulnerabilities in the Storybook development environment could allow unauthenticated actors to “access tokens” due to improper input validation.
Beyond the high-severity risks, GitLab remediated several Medium and Low-severity issues aimed at preventing Denial of Service (DoS) and tightening access controls.
- Denial of Service (DoS): Multiple endpoints, including discussions , Jira import , notes , and the GraphQL API , were vulnerable to being overwhelmed by crafted requests, potentially exhausting server resources.
- Access Control Failures: Issues were found in the issue description renderer (CVE-2026-5377), which could have leaked the titles of private issues , and the project fork relationship API (CVE-2025-9957), which allowed owners to bypass fork prevention settings.
- Virtual Registry Credentials: An internal audit discovered that “invalidated or incorrectly scoped credentials” could still be used to access Virtual Registries under certain conditions (CVE-2026-6515).
To protect your software supply chain and sensitive project data, administrators should “upgrade to the latest version as soon as possible”.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
