GitLab Patches Critical AI Gateway Flaw Allowing Remote Code Execution
GitLab released emergency patches for a critical vulnerability in its AI Gateway that could allow authenticated attackers to achieve remote code execution via crafted Duo Workflow definitions.
GitLab released versions 18.6.2, 18.7.1, and 18.8.1 of its AI Gateway on February 6, 2026, to address a critical security vulnerability tracked as CVE-2026-1868. The flaw, which carries a CVSS score of 9.9, resides in the Duo Workflow Service component and stems from insecure template expansion of user-supplied data. An authenticated attacker can exploit this by crafting malicious Duo Agent Platform Flow definitions, potentially leading to denial of service or full code execution on the Gateway.
The vulnerability affects all self-hosted AI Gateway versions starting from 18.1.6, 18.2.6, and 18.3.1 up to the fixed releases. GitLab-hosted instances—including GitLab.com, GitLab Dedicated, and GitLab Self Managed installations using the hosted AI Gateway—are already protected and require no action. The company strongly recommends that all self-managed customers with GitLab Duo Self-Hosted installations upgrade immediately.
The issue was discovered internally by GitLab team member Joern Schneeweisz, meaning no external researcher reported the flaw. GitLab has not disclosed any evidence of active exploitation in the wild, but the severity of the vulnerability—allowing code execution with a low attack complexity and no user interaction—makes patching urgent. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) indicates that an attacker with only low-level authenticated access can compromise the Gateway's confidentiality, integrity, and availability.
This patch arrives as GitLab continues to expand its AI-powered features, including GitLab Duo, which integrates AI assistance into the DevOps lifecycle. The AI Gateway serves as a critical component for self-hosted customers, handling requests between GitLab instances and AI models. A compromise of this gateway could allow attackers to intercept or manipulate AI-generated outputs, access sensitive data processed during workflows, or pivot to other systems within the network.
GitLab has not provided specific mitigations for customers unable to patch immediately, but the company's advisory emphasizes that upgrading to the fixed versions is the only recommended course of action. The patch release also includes unspecified additional security fixes, though CVE-2026-1868 is the only vulnerability detailed in the advisory.
This incident highlights the growing attack surface introduced by AI integrations in enterprise software. As vendors rush to embed AI capabilities, the underlying infrastructure—such as gateways, APIs, and workflow engines—becomes a new vector for exploitation. GitLab's rapid response and internal discovery of the flaw demonstrate proactive security practices, but the high CVSS score underscores the risks inherent in complex AI service architectures.
Organizations running self-hosted GitLab Duo should prioritize this update, as the vulnerability requires only authenticated access—a condition easily met by compromised credentials or insider threats. With no workarounds available, the patch is the sole defense against potential code execution on the AI Gateway.