GitLab Patch Release 18.9.1, 18.8.5, 18.7.5 Fixes Multiple High-Severity Vulnerabilities
GitLab released versions 18.9.1, 18.8.5, and 18.7.5 on February 25, 2026, patching multiple high-severity vulnerabilities including an XSS flaw in the Mermaid sandbox and several denial-of-service issues.
GitLab released versions 18.9.1, 18.8.5, and 18.7.5 for both Community Edition (CE) and Enterprise Edition (EE) on February 25, 2026, addressing multiple security vulnerabilities. The patch release fixes a cross-site scripting (XSS) vulnerability in the Mermaid sandbox (CVE-2026-0752, CVSS 8.0), three denial-of-service (DoS) flaws, and several other issues. GitLab strongly recommends that all self-managed installations upgrade immediately, while GitLab.com is already running the patched version and GitLab Dedicated customers do not need to take action.
The most severe vulnerability, CVE-2026-0752, is an XSS issue in the Mermaid sandbox that could allow an unauthenticated attacker to inject arbitrary scripts into the sandbox UI under certain circumstances. The flaw affects all GitLab CE/EE versions from 16.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1. The vulnerability was reported by researcher aphantom through GitLab's HackerOne bug bounty program.
Three high-severity DoS vulnerabilities were also patched. CVE-2025-14511 (CVSS 7.5) affects the container registry, allowing an unauthenticated attacker to cause a denial of service by sending specially crafted files to the container registry event endpoint. CVE-2026-1662 (CVSS 7.5) targets the Jira events endpoint, enabling an unauthenticated attacker to cause DoS via specially crafted requests. CVE-2026-1388 (CVSS 7.5) is a regular expression denial of service (ReDoS) issue in merge requests, exploitable by sending specially crafted input to a merge request endpoint.
Additional fixes include CVE-2026-2845 (CVSS 6.5), a missing rate limit in the Bitbucket Server importer that could allow an authenticated user to cause DoS; CVE-2025-3525 (CVSS 6.5), a DoS issue in the CI trigger API; CVE-2026-1725 (CVSS 5.3), a DoS issue in the token decoder; and several medium-severity issues involving improper access control in the Conan package registry and CI job mutation. The full list of fixes is available in the official release notes.
GitLab follows a regular patch release schedule, with releases on the second and fourth Wednesdays of each month, in addition to ad-hoc critical patches for high-severity vulnerabilities. The company makes vulnerability details public on its issue tracker 30 days after the patch release. This batch of fixes underscores the importance of timely patching for self-managed GitLab instances, which are often exposed to the internet and targeted by attackers.
Organizations running self-managed GitLab should prioritize upgrading to versions 18.9.1, 18.8.5, or 18.7.5, depending on their current deployment. GitLab.com users are already protected, and GitLab Dedicated customers require no action. The vulnerabilities were discovered through GitLab's bug bounty program and internal research, highlighting the value of community and internal security testing in identifying and remediating flaws before they can be exploited in the wild.