GitLab Patches High-Severity XSS and DoS Flaws Across Multiple Versions
GitLab released versions 18.9.2, 18.8.6, and 18.7.6 on March 11, 2026, fixing multiple high-severity vulnerabilities including a cross-site scripting bug and several denial-of-service issues.
GitLab has shipped emergency patch releases for its Community and Enterprise Editions, addressing a raft of security vulnerabilities that could allow attackers to inject malicious scripts or knock servers offline. The updates, versions 18.9.2, 18.8.6, and 18.7.6, were released on March 11, 2026, and GitLab is urging all self-managed installations to upgrade immediately. GitLab.com and GitLab Dedicated customers are already protected.
The most severe flaw fixed is CVE-2026-1090, a cross-site scripting (XSS) vulnerability in GitLab's Markdown placeholder processing. With a CVSS score of 8.7, the bug allows an authenticated user to inject arbitrary JavaScript into a victim's browser when the `markdown_placeholders` feature flag is enabled. The issue stems from improper sanitization of placeholder content, affecting all versions from 10.6 up to the patched releases. The vulnerability was reported through GitLab's HackerOne bug bounty program by researcher yvvdwf.
Several high-severity denial-of-service (DoS) vulnerabilities were also patched. CVE-2026-1069 affects the GraphQL API and can be exploited by unauthenticated attackers sending specially crafted requests that trigger uncontrolled recursion, leading to a service crash. This flaw only impacts versions 18.9.x prior to 18.9.2 and carries a CVSS score of 7.5. Additional DoS bugs were fixed in the repository archive endpoint (CVE-2025-13929), the protected branches API (CVE-2025-14513), and webhook custom headers (CVE-2025-13690), all of which could be triggered by unauthenticated or low-privilege users.
Medium-severity issues addressed include improper access control in the runners API and snippet rendering, information disclosure in inaccessible and confidential issues, a CRLF injection flaw, and a missing authorization bug in Group Import. A low-severity incorrect authorization issue in the Virtual Registry and an improper output escaping problem in the Datadog integration were also fixed. GitLab has not reported any active exploitation of these vulnerabilities in the wild, but the company's security advisory warns that details will be made public 30 days after the release, increasing the risk of reverse-engineered exploits.
The patch release follows GitLab's standard cadence of scheduled updates on the second and fourth Wednesdays of each month, though the company also issues ad-hoc critical patches for high-severity vulnerabilities. This batch of fixes underscores the ongoing challenge of securing complex DevOps platforms that handle sensitive source code and CI/CD pipelines. GitLab's self-managed customers, who are responsible for their own patching, are particularly urged to act quickly given the breadth of attack surfaces addressed.
Organizations running GitLab should upgrade to versions 18.9.2, 18.8.6, or 18.7.6 depending on their current deployment. GitLab has provided detailed upgrade instructions and best practices for securing instances. The company also encourages users to report vulnerabilities through its bug bounty program, which contributed to the discovery of several of the flaws fixed in this release.