GitLab Ships Emergency Patch Release Fixing Multiple High-Severity XSS and DoS Flaws
GitLab released versions 18.11.3, 18.10.6, and 18.9.7 on May 13, 2026, patching multiple high-severity vulnerabilities including cross-site scripting and denial-of-service issues across Analytics dashboards, global search, and CI/CD APIs.
GitLab has released emergency patch versions 18.11.3, 18.10.6, and 18.9.7 for both Community Edition (CE) and Enterprise Edition (EE) as of May 13, 2026. The updates address a slate of high-severity vulnerabilities, including multiple cross-site scripting (XSS) flaws and denial-of-service (DoS) issues that could allow authenticated attackers to compromise user sessions or disrupt service availability. GitLab strongly recommends that all self-managed installations upgrade immediately; GitLab.com and GitLab Dedicated customers are already protected.
Among the most critical fixes is CVE-2026-7481, an XSS vulnerability in the Analytics dashboard chart rendering that affects GitLab EE versions from 16.4 through the affected branches. The flaw, carrying a CVSS score of 8.7, allows an authenticated user with developer-role permissions to execute arbitrary JavaScript in other users' browsers due to improper input sanitization. Two additional XSS issues—CVE-2026-5297 in global search and CVE-2026-6073 in Duo Agent output rendering—also carry CVSS 8.7 ratings and affect both CE and EE or EE only, respectively.
The patch release also addresses four high-severity DoS vulnerabilities. CVE-2026-1659 affects the CI/CD job update API, CVE-2026-1660 targets the Duo Workflows API, and CVE-2026-1661 impacts internal API endpoints—all rated high severity. A fourth DoS flaw in Insights Configuration (CVE-2026-1662) is rated medium severity. These issues could allow attackers to exhaust server resources and degrade GitLab instance performance.
Additional medium-severity fixes include improper authorization in GraphQL token scope enforcement (CVE-2026-1663), access control issues in the Issues API (CVE-2026-1664), and a CSRF vulnerability in JiraConnect subscriptions (CVE-2026-1665). The release also patches a server-side request forgery (SSRF) flaw in the virtual registry redirect handler (CVE-2026-1666) rated low severity, and multiple access control issues across Helm package uploads, NuGet Symbol Server, and Container Registry protected tags.
Several of the vulnerabilities were reported through GitLab's HackerOne bug bounty program, with researchers yvvdwf, joaxcar, and aphantom credited for discovering XSS flaws. GitLab team member Chaoyue Zhao and researcher a_m_a_m were credited for the internally discovered global search XSS. The company follows a policy of making vulnerability details public 30 days after the patch release.
This patch release underscores the ongoing challenge of securing complex DevOps platforms that handle sensitive source code and CI/CD pipelines. GitLab's dual-track release model—scheduled bi-weekly patches alongside ad-hoc critical releases—aims to balance feature velocity with security responsiveness. Organizations running self-managed GitLab instances should prioritize this upgrade given the combination of XSS and DoS risks that could be chained for broader compromise.