GitLab Patches CI/CD Cache Race Condition and Authentication Bypass in Emergency Release
GitLab released versions 18.6.1, 18.5.3, and 18.4.5 on November 26, 2025, fixing seven vulnerabilities including a high-severity race condition in CI/CD cache and an unauthenticated authentication bypass.
GitLab has shipped emergency patch releases for its Community and Enterprise Editions, addressing seven security vulnerabilities across versions 18.4, 18.5, and 18.6. The most critical of these is CVE-2024-9183, a race condition in the CI/CD cache mechanism that could allow an authenticated attacker to obtain credentials from higher-privileged users and perform actions in their context. With a CVSS score of 7.7, the flaw was reported through GitLab's HackerOne bug bounty program by researcher aphantom.
Alongside the race condition, GitLab fixed CVE-2025-12571, an unauthenticated denial-of-service vulnerability in the JSON input validation middleware. An attacker could trigger a DoS condition by sending specially crafted requests containing malicious JSON payloads, earning the issue a CVSS score of 7.5. The vulnerability was reported by researcher a92847865, who also contributed to the discovery of CVE-2025-7449, a medium-severity DoS in HTTP response processing affecting authenticated users with specific permissions.
Perhaps the most concerning flaw for organizations is CVE-2025-12653, an authentication bypass in the account registration process. Under specific conditions, an unauthenticated attacker could join arbitrary organizations by manipulating HTTP headers on certain requests. This vulnerability, rated CVSS 6.5, was reported by researcher pwnie and affects all versions from 18.3 onward. The ability for an unauthenticated user to gain membership in any organization could lead to unauthorized access to sensitive projects and data.
Additional fixes include CVE-2025-6195, an improper authorization issue in markdown rendering affecting GitLab EE only, which could allow authenticated users to view information from security reports under certain configurations. GitLab also patched CVE-2025-13611, a low-severity information disclosure in the Terraform registry that could expose sensitive tokens to authenticated users with access to specific logs.
All self-managed GitLab instances running versions 18.4 before 18.4.5, 18.5 before 18.5.3, or 18.6 before 18.6.1 are urged to upgrade immediately. GitLab.com has already been updated to the patched version, and GitLab Dedicated customers do not need to take action. The company follows a policy of making vulnerability details public 30 days after the patch release, giving administrators time to update before full technical disclosures emerge.
This batch of patches arrives as GitLab continues to face scrutiny over its security posture. The CI/CD cache race condition is particularly notable because it targets a core DevOps workflow component, potentially allowing attackers to pivot from low-privileged access to full administrative control. With GitLab serving as a critical part of many organizations' software supply chains, the authentication bypass flaw further underscores the importance of rapid patching for self-managed deployments.