GitLab Patch Release Fixes Multiple High-Severity Flaws Including Token Theft and DoS
GitLab released versions 18.8.4, 18.7.4, and 18.6.6 on February 10, 2026, patching multiple vulnerabilities including a high-severity Web IDE token theft bug (CVE-2025-7659) and two denial-of-service issues.
GitLab released versions 18.8.4, 18.7.4, and 18.6.6 on February 10, 2026, fixing multiple security vulnerabilities across Community Edition (CE) and Enterprise Edition (EE). The patch addresses a total of 14 security issues, including three high-severity flaws: CVE-2025-7659 (CVSS 8.0), CVE-2025-8099 (CVSS 7.5), and CVE-2026-0958 (CVSS 7.5). GitLab strongly recommends that all self-managed installations upgrade immediately; GitLab.com is already running the patched version.
The most critical vulnerability, CVE-2025-7659, is an incomplete validation issue in the Web IDE that could allow an unauthenticated attacker to steal tokens and access private repositories. Discovered by researcher cav0ur via GitLab's HackerOne bug bounty program, the flaw affects all versions from 18.2 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4. The CVSS vector indicates a high attack complexity and requires user interaction, but the potential impact on confidentiality and integrity is high.
Two denial-of-service vulnerabilities were also patched. CVE-2025-8099 allows an unauthenticated attacker to cause DoS by sending repeated GraphQL introspection queries, affecting versions from 10.8. CVE-2026-0958 enables DoS through memory or CPU exhaustion by bypassing JSON validation middleware limits, affecting versions from 18.4. Both have a CVSS score of 7.5 and were reported through the HackerOne program.
Additional high-severity fixes include CVE-2025-14560, a cross-site scripting issue in Code Flow that could allow an authenticated attacker to perform unauthorized actions on behalf of another user, and CVE-2026-0595, an HTML injection vulnerability in test case titles that could allow adding unauthorized email addresses to user accounts. Both have CVSS scores of 7.3.
The release also addresses medium-severity issues such as server-side request forgery (SSRF) in Virtual Registry and Git repository import, denial-of-service in Markdown processor and preview, and an authorization bypass in the iterations API. Low-severity fixes include stored HTML injection in project labels and authorization bypass in Pipeline Schedules API.
GitLab's patch release follows its regular schedule, with security issues made public on the issue tracker 30 days after the patch. The company emphasizes that all self-managed installations should upgrade to the latest patch release for their supported version to maintain security hygiene. GitLab Dedicated customers are not affected and need no action.