GitLab Releases Patch Updates Addressing Multiple Vulnerabilities
GitLab has issued patch versions 19.0.2, 18.11.5, and 18.10.8 to fix a range of security flaws, including high-severity issues in its Group SAML Identity API and Analytics Dashboard.
GitLab has released critical patch updates for its Community Edition (CE) and Enterprise Edition (EE), specifically versions 19.0.2, 18.11.5, and 18.10.8. These releases address multiple vulnerabilities, urging all self-managed GitLab installations to upgrade immediately to maintain security hygiene. GitLab.com is already running the patched versions, and GitLab Dedicated customers require no action.
The patch releases include fixes for several high-severity vulnerabilities. Among these is CVE-2026-6552, an Improper Access Control issue within the Group SAML Identity API. This flaw could have allowed an authenticated user with the Group Owner role to take over another group member's GitLab account under specific conditions due to improper authorization in the SAML identity management functionality. Another high-severity vulnerability, CVE-2026-10087, a Cross-site Scripting (XSS) issue in the Analytics Dashboard, could have enabled an authenticated user with developer-role permissions to execute arbitrary client-side code on behalf of a targeted user due to insufficient input sanitization.
Further high-severity issues addressed include a Denial of Service (DoS) vulnerability in the Grape API JSON parsing middleware (CVE-2026-7250), which could be exploited by an unauthenticated user to cause a service disruption. Additionally, an HTML injection issue in certain group setting fields (CVE-2026-8589) could have allowed an authenticated user to add unauthorized email addresses to a user's account. A DoS vulnerability in the Group Placeholder Reassignments API (CVE-2026-1500) was also patched, stemming from uncontrolled resource consumption when processing specially crafted file uploads.
Beyond the high-severity flaws, the updates also resolve several medium and low-severity vulnerabilities. These include Improper Access Control issues in the Merge Requests API (CVE-2026-6269) and the Todos API (CVE-2026-3371), a Server-Side Request Forgery (SSRF) vulnerability in Gitaly repository import (CVE-2026-5687), and HTML injection in the CI/CD Catalog (CVE-2026-4701). An Authorization Bypass in Merge Request diffs (CVE-2026-2812) and a Low severity Improper Neutralization issue in the Service Desk email template (CVE-2026-1501) were also fixed.
GitLab follows a structured release schedule, with scheduled patch releases occurring twice a month on the second and fourth Wednesdays. Ad-hoc critical patches are released for high-severity vulnerabilities outside this schedule. The company emphasizes its commitment to maintaining the highest security standards for all customer-facing aspects of its platform and data hosting.
Details regarding each specific vulnerability are made public on GitLab's issue tracker 30 days after the release in which they were patched, aligning with responsible disclosure practices. The company strongly advises all users to consult their security handbook and FAQ for further information on best practices for securing their GitLab instances.
All GitLab CE/EE versions affected by these issues are strongly recommended to upgrade to the latest patch release for their supported version. The specific impacted versions vary per vulnerability but generally include ranges leading up to the patched releases, underscoring the broad applicability of these fixes across different GitLab deployments.
This proactive patching demonstrates GitLab's ongoing commitment to addressing security concerns promptly. Users are encouraged to review the release notes for detailed information on each fix and to implement the updates without delay to protect their environments from potential exploitation.