GitLab Security Updates Fix 13 Flaws

TL;DR

GitLab released software patches on June 24, 2026. These new GitLab security updates fix 13 vulnerabilities across Community Edition and Enterprise Edition. Therefore, administrators must apply versions 19.1.1, 19.0.3, or 18.11.6 immediately.

Why it matters

These vulnerabilities pose high risks to user data and system integrity. Specifically, the most severe flaws carry CVSS scores of 8.7 and 8.0. For instance, CVE-2026-10086 affects the Analytics Dashboard. Another flaw, CVE-2026-10712, targets the Web IDE workbench. Consequently, attackers could compromise user sessions or steal sensitive project data. Currently, the vendor has not confirmed active exploitation in the wild. Furthermore, researchers have not published any public proof-of-concept exploits.

How the attack works

The flaws span various attack mechanisms. First, CVE-2026-10086 involves improper sanitization of user-supplied input. This defect allows attackers to execute arbitrary client-side code. Second, CVE-2026-10712 stems from improper path validation. Unauthenticated users can exploit this to run malicious JavaScript. Additionally, CVE-2026-12053 causes information disclosure in Duo Workflows. According to the advisory, this happens “due to insufficient output filtering.” Finally, several other bugs allow authorization bypasses in registry policies and API endpoints.

Affected versions

These security defects impact multiple versions of GitLab CE and EE.

• Versions 19.1 prior to 19.1.1
• Versions 19.0 prior to 19.0.3
• Versions 18.11 and older prior to 18.11.6

Different bugs affect different historical ranges. For example, some flaws impact all installations dating back to version 8.3.

Patch or mitigation steps

GitLab strongly urges all users to upgrade their installations immediately. You can read the full GitLab patch release documentation for specific upgrade instructions. Administrators should install version 19.1.1, 19.0.3, or 18.11.6 to secure their environments. The company states, “We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.” Delaying this update leaves source code repositories vulnerable to hijacking and data theft.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.