GitLab Patch Release 18.10.3, 18.9.5, 18.8.9 Fixes High-Severity WebSocket and DoS Vulnerabilities
GitLab released versions 18.10.3, 18.9.5, and 18.8.9 on April 8, 2026, patching multiple vulnerabilities including a critical WebSocket method exposure (CVE-2026-5173, CVSS 8.5) and two high-severity denial-of-service flaws.
GitLab released versions 18.10.3, 18.9.5, and 18.8.9 on April 8, 2026, for both Community and Enterprise Editions. The patch addresses multiple security vulnerabilities that could allow authenticated users to invoke unintended server-side methods through WebSocket connections and unauthenticated attackers to cause denial of service via the Terraform state lock API and GraphQL endpoint. GitLab strongly recommends that all self-managed installations upgrade immediately; GitLab.com is already running the patched version and Dedicated customers do not need to take action.
The most critical fix addresses CVE-2026-5173 (CVSS 8.5), an exposed method issue in WebSocket connections discovered internally by GitLab team member Simon Tomlinson. This vulnerability could allow an authenticated attacker to invoke unintended server-side methods due to improper access control. The bug affects all GitLab CE/EE versions from 16.9.6 to 18.8.8, 18.9.0 to 18.9.4, and 18.10.0 to 18.10.2. The CVSS vector indicates network-based exploitation with low privileges and no user interaction, and the flaw has a scope change—meaning the compromised component can impact resources beyond its intended boundary, causing high confidentiality impact and low integrity impact.
Two high-severity denial-of-service vulnerabilities were also patched. CVE-2026-1092 (CVSS 7.5) allows an unauthenticated attacker to cause denial of service by sending malformed JSON payloads to the Terraform state lock API. This issue was reported through GitLab's HackerOne bug bounty program by researcher a92847865 and affects all versions from 12.10 to 18.8.8, 18.9.0 to 18.9.4, and 18.10.0 to 18.10.2. CVE-2025-12664 (CVSS 7.5) similarly enables unauthenticated denial of service via repeated GraphQL queries, reported by researcher foxribeye. It impacts all versions from 13.0 in the same version ranges.
Additional fixes include three medium-severity denial-of-service issues: CVE-2026-1403 (CVSS 6.5) in CSV import affecting Sidekiq workers, CVE-2026-1101 (CVSS 6.5) in the GraphQL SBOM API affecting GitLab EE only, and a separate medium DoS issue in the main GraphQL API. GitLab also patched CVE-2026-1516 (CVSS 5.7), a code injection flaw in Code Quality reports that could leak IP addresses of viewers, reported by researcher maksyche, and CVE-2026-4332 (CVSS 5.6), a cross-site scripting vulnerability in customizable analytics dashboards reported by researcher dukeB. Both are GitLab EE-specific issues.
The release also addresses several medium-severity authorization and information disclosure flaws. These include incorrect authorization in the vulnerability flags AI detection API, improper access control in the Environments API, information disclosure in certain GraphQL queries and CSV exports, and missing authorization in custom role permissions. A low-severity authorization issue rounds out the patched vulnerabilities. All issues except CVE-2026-5173 were reported through GitLab's HackerOne bug bounty program, reflecting the company's ongoing reliance on external researchers.
GitLab's patch release cycle follows a predictable cadence—scheduled releases occur twice monthly on the second and fourth Wednesdays, with ad-hoc critical patches for emergencies. The company makes vulnerability details public on its issue tracker 30 days after the patched release. Organizations running self-managed GitLab instances should prioritize upgrading to the latest supported patch version for their branch—18.8.9, 18.9.5, or 18.10.3—to mitigate risk. For customers using GitLab.com or GitLab Dedicated, no action is required as these environments are automatically updated.
This patch arrives amid a broader industry trend of increased vulnerability disclosure and exploitation. The 2026 Verizon Data Breach Investigations Report, published just days before this GitLab release, identified vulnerability exploitation as the leading initial access vector in breaches, accounting for 31% of incidents. The median time-to-patch has increased to 43 days, underscoring the importance of rapid patch deployment. GitLab's recommendation to upgrade immediately aligns with that urgency, particularly for the WebSocket flaw that requires only authenticated access to potentially compromise data confidentiality.