GitLab Patches High-Severity Jira Connect Credential Theft and CSRF Flaws in Urgent Release
GitLab released versions 18.10.1, 18.9.3, and 18.8.7 on March 25, 2026, fixing multiple high-severity vulnerabilities including a Jira Connect credential theft bug (CVE-2026-2370) and a CSRF flaw in the GLQL API (CVE-2026-3857).
GitLab released versions 18.10.1, 18.9.3, and 18.8.7 on March 25, 2026, patching a dozen security vulnerabilities across Community Edition and Enterprise Edition. The update addresses two high-severity flaws—CVE-2026-2370 (CVSS 8.1) in Jira Connect and CVE-2026-3857 (CVSS 8.1) in the GLQL API—along with an HTML injection bug in vulnerability reports and several medium-severity issues affecting WebAuthn 2FA, GraphQL, CI configuration, webhooks, and Mermaid diagram rendering.
CVE-2026-2370 stems from improper parameter handling in Jira Connect installations. An authenticated attacker with minimal workspace permissions could exploit the flaw to steal installation credentials and impersonate the GitLab app, potentially gaining unauthorized access to connected Jira instances. The vulnerability affects all GitLab versions from 14.3 through 18.8.6, 18.9.x before 18.9.3, and 18.10.x before 18.10.1. The issue was reported by researcher maksyche via GitLab's HackerOne bug bounty program.
CVE-2026-3857 is a cross-site request forgery vulnerability in the GLQL API that allows an unauthenticated attacker to execute arbitrary GraphQL mutations on behalf of an authenticated user. The bug, which carries a CVSS score of 8.1, affects versions from 17.10 onward and was reported by researcher ahacker1. GitLab's advisory notes that the flaw could enable attackers to perform sensitive operations if they can trick a logged-in user into visiting a malicious page.
A third high-severity issue, CVE-2026-2995 (CVSS 7.7), is an HTML injection vulnerability in GitLab EE's vulnerability report feature. An authenticated attacker could exploit improper HTML sanitization to add email addresses to targeted user accounts, potentially facilitating account takeover or phishing campaigns. The bug affects versions from 15.4 and was reported by researchers a_m_a_m and yvvdwf.
Medium-severity fixes include CVE-2026-2745, a WebAuthn 2FA bypass affecting versions as old as 7.11, and CVE-2026-1724, an access control flaw in GraphQL queries that could expose API tokens of self-hosted AI models. Several denial-of-service issues were also patched, including CVE-2026-3988 in the GraphQL API and flaws in CI configuration processing and webhook handling. A cross-site scripting vulnerability in the Mermaid diagram renderer was also addressed.
GitLab strongly recommends that all self-managed instances upgrade immediately. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take action. As is standard practice, the issue details for each vulnerability will be made public on GitLab's issue tracker 30 days after the release. This patch release follows GitLab's regular security update cadence, which delivers fixes on the second and fourth Wednesdays of each month.