{ "canonical_id": "gitlab-ce--c9ed3b92bd", "system_id": "gitlab-ce", "display_name": "GitLab CE", "category": "platforms", "advisory_mode": "core", "title": "GitLab Patch Release: 18.10.1, 18.9.3, 18.8.7", "summary": "\n\n

Today, we are releasing versions 18.10.1, 18.9.3, 18.8.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).

\n\n

These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to\none of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.

\n\n

GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases:\nscheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays.\nFor more information, please visit our releases handbook and security FAQ.\nYou can see all of GitLab release blog posts here.

\n\n

For security fixes, the issues detailing each vulnerability are made public on our\nissue tracker\n30 days after the release in which they were patched.

\n\n

We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to\nthe highest security standards. To maintain good security hygiene, it is highly recommended that all customers\nupgrade to the latest patch release for their supported version. You can read more\nbest practices in securing your GitLab instance in our blog post.

\n\n

Recommended Action

\n\n

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

\n\n

When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.

\n\n

Security fixes

\n\n

Table of security fixes

\n\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n
TitleSeverity
Improper Handling of Parameters issue in Jira Connect installations impacts GitLab CE/EEHigh
Cross-Site Request Forgery issue in GLQL API impacts GitLab CE/EEHigh
HTML Injection in vulnerability report impacts GitLab EEHigh
Denial of Service issue in GraphQL API impacts GitLab CE/EEHigh
Improper Access Control issue in WebAuthn 2FA impacts GitLab CE/EEMedium
Improper Access Control issue in GraphQL query impacts GitLab EEMedium
Denial of Service issue in CI configuration processing impacts GitLab CE/EEMedium
Denial of Service issue in webhook configuration impacts GitLab CE/EEMedium
Cross-site Scripting issue in Mermaid diagram renderer impacts GitLab CE/EEMedium
Improper Access Control issue in Merge Requests impacts GitLab CE/EEMedium
Access Control issue in GraphQL API impacts GitLab EEMedium
Incorrect Authorization issue in authorization caching impacts GitLab EELow
\n\n

CVE-2026-2370 - Improper Handling of Parameters issue in Jira Connect installations impacts GitLab CE/EE

\n\n

GitLab has remediated an issue affecting Jira Connect installations that could have allowed an authenticated user with minimal workspace permissions to obtain installation credentials and impersonate the GitLab app due to improper authorization checks.

\n\n

Impacted Versions: GitLab CE/EE: all versions from 14.3 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1
\nCVSS 8.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)

\n\n

Thanks maksyche for reporting this vulnerability through our HackerOne bug bounty program.

\n\n

CVE-2026-3857 - Cross-Site Request Forgery issue in GLQL API impacts GitLab CE/EE

\n\n

GitLab has remediated an issue that could have allowed an unauthenticated user to execute arbitrary GraphQL mutations on behalf of authenticated users due to insufficient CSRF protection.

\n\n

Impacted Versions: GitLab CE/EE: all versions from 17.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1
\nCVSS 8.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N)

\n\n

Thanks ahacker1 for reporting this vulnerability through our HackerOne bug bounty program.

\n\n

CVE-2026-2995 - HTML Injection in vulnerability report impacts GitLab EE

\n\n

GitLab has remediated an issue that could have allowed an authenticated user to add email addresses to targeted user accounts due to improper sanitization of HTML content.

\n\n

Impacted Versions: GitLab EE: all versions from 15.4 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1
\nCVSS 7.7 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N)

\n\n

Thanks a_m_a_m for reporting this vulnerability through our HackerOne bug bounty program.

\n\n

CVE-2026-3988 - Denial of Service issue in GraphQL API impacts GitLab CE/EE

\n\n

GitLab has remediated an issue that could have allowed an unauthenticated user to cause a denial of service by making the GitLab instance unresponsive due to improper input validation in GraphQL request processing.

\n\n

Impacted Versions: GitLab CE/EE: all versions from 18.5 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1
\nCVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

\n\n

Thanks svalkanov for reporting this vulnerability through our HackerOne bug bounty program.

\n\n

CVE-2026-2745 - Improper Access Control issue in WebAuthn 2FA impacts GitLab CE/EE

\n\n

GitLab has remediated an issue that could have allowed an unauthenticated user to bypass WebAuthn two-factor authentication and gain unauthorized access to user accounts due to inconsistent input validation in the authentication process.

\n\n

Impacted Versions: GitLab CE/EE: all versions from 7.11 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1
\nCVSS 6.8 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N)

\n\n

Thanks a0xnirudh for reporting this vulnerability through our HackerOne bug bounty program.

\n\n

CVE-2026-1724 - Improper Access Control issue in GraphQL query impacts GitLab EE

\n\n

GitLab has remediated an issue that could have allowed an unauthenticated user to access API tokens of self-hosted AI models due to improper access control.

\n\n

Impacted Versions: GitLab EE: all versions from 18.5 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1
\nCVSS 6.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N)

\n\n

Thanks maksyche for reporting this vulnerability through our HackerOne bug bounty program.

\n\n

CVE-2025-13436 - Denial of Service issue in CI configuration processing impacts GitLab CE/EE

\n\n

GitLab has remediated an issue that could have allowed an authenticated user to cause a denial of service due to excessive resource consumption when handling certain CI-related inputs.

\n\n

Impacted Versions: GitLab CE/EE: all versions from 13.7 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1
\nCVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

\n\n

Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program.

\n\n

CVE-2025-13078 - Denial of Service issue in webhook configuration impacts GitLab CE/EE

\n\n

GitLab has remediated an issue that could have allowed an authenticated user to cause a denial of service due to excessive resource consumption when processing certain webhook configuration inputs.

\n\n

Impacted Versions: GitLab CE/EE: all versions from 16.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1
\nCVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

\n\n

Thanks lucky_luke for reporting this vulnerability through our HackerOne bug bounty program.

\n\n

CVE-2026-2973 - Cross-site Scripting issue in Mermaid diagram renderer impacts GitLab CE/EE

\n\n

GitLab has remediated an issue that could have allowed an authenticated user to execute arbitrary JavaScript in a user's browser due to improper sanitization of entity-encoded content in Mermaid diagrams.

\n\n

Impacted Versions: GitLab CE/EE: all versions from 17.7 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1
\nCVSS 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

\n\n

Thanks go7f0 for reporting this vulnerability through our HackerOne bug bounty program.

\n\n

CVE-2026-2726 - Improper Access Control issue in Merge Requests impacts GitLab CE/EE

\n\n

GitLab has remediated an issue that could have allowed an authenticated user to perform unauthorized actions on merge requests in other projects due to improper access control during cross-repository operations.

\n\n

Impacted Versions: GitLab CE/EE: all versions from 11.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1
\nCVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

\n\n

Thanks pkkr for reporting this vulnerability through our HackerOne bug bounty program.

\n\n

CVE-2025-14595 - Access Control issue in GraphQL API impacts GitLab EE

\n\n

GitLab has remediated an issue that under certain conditions could have allowed an authenticated user with Planner role to view security category metadata and attributes in group security configuration due to improper access control.

\n\n

Impacted Versions: GitLab EE: all versions from 18.6 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1
\nCVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

\n\n

Thanks kamikaze1337 for reporting this vulnerability through our HackerOne bug bounty program.

\n\n

CVE-2026-4363 - Incorrect Authorization issue in authorization caching impacts GitLab EE

\n\n

GitLab has remediated an issue that under certain conditions could have allowed an authenticated user to gain unauthorized access to resources due to improper caching of authorization decisions.

\n\n

Impacted Versions: GitLab EE: all versions from 18.1 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1
\nCVSS 3.7 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N)

\n\n

This vulnerability was discovered internally by GitLab team member Fred de Gier.

\n\n

Bug fixes

\n\n

18.10.1

\n\n\n\n

18.9.3

\n\n\n\n

18.8.7

\n\n\n\n

Important notes on upgrading

\n\n

This patch includes database migrations that may impact your upgrade process.

\n\n

Impact on your installation:

\n\n\n

Post-deploy migrations

\n\n

The following versions include post-deploy migrations that can run after the upgrade:

\n\n\n\n

To learn more about the impact of upgrades on your installation, see:

\n\n\n

Updating

\n\n

To update GitLab, see the Update page.\nTo update GitLab Runner, see the Updating the Runner page.

\n\n

Receive Patch Notifications

\n\n

To receive patch blog notifications delivered to your inbox, visit our contact us page.\nTo receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.

\n", "published_at": "2026-03-25T00:00:00+00:00", "updated_at": "2026-03-25T00:00:00+00:00", "severity": "unknown", "cvss_score": null, "exploit_status": "unknown", "source_confidence": "official", "official_source_url": "https://about.gitlab.com/security-releases.xml", "secondary_source_urls": [], "aliases": [], "cve_ids": [], "ghsa_ids": [], "osv_ids": [], "affected_versions": [], "fixed_versions": [], "package_name": null, "render_markdown": false, "case_path": null, "secure_code_topics": [ "authz-server-side-recheck", "token-cookie-storage", "deserialization-safety", "xss-output-encoding", "dependency-upgrade-policy" ], "status": "triage", "triage_reasons": [ "missing affected/fixed version details" ], "entity_refs": [ { "entity_id": "gitlab-ce", "entity_type": "system", "relation": "root-system", "root_system_id": "gitlab-ce", "official": true } ], "affected_components": [ { "name": "GitLab CE", "entity_id": "gitlab-ce", "scope": "core", "package_name": null, "official": true } ], "affected_version_ranges": [], "fixed_version_ranges": [], "introduced_version": null, "patched_version": null, "version_evidence_sources": [ "https://about.gitlab.com/security-releases.xml" ], "affected_version_refs": [], "fixed_version_refs": [], "patched_version_refs": [], "version_sync_confidence": "low", "advisory_scope": "core", "version_confidence": "low", "version_gap_reason": "official bulletin or aggregated source did not expose explicit affected/fixed versions", "version_resolution_needed": true, "workflow": { "workflow_id": "gitlab-ce--c9ed3b92bd--workflow", "vuln_family": "xss", "entry_surface": "web-ui-render-path", "preconditions": [ "\u4ec5\u5728 lab-local\u3001lab-public \u6216\u660e\u786e\u6388\u6743\u76ee\u6807\u4e2d\u6267\u884c\u3002", "\u786e\u8ba4\u76ee\u6807\u547d\u4e2d\u7248\u672c\u65ad\u8a00: \u9700\u8981\u4ece\u516c\u544a\u3001\u9501\u6587\u4ef6\u3001\u7248\u672c\u9875\u6216\u5173\u4e8e\u9875\u9762\u4eba\u5de5\u786e\u8ba4\u7248\u672c\u547d\u4e2d", "\u82e5\u5bf9\u8c61\u5c5e\u4e8e `core`\uff0c\u5148\u786e\u8ba4\u6269\u5c55/\u4ed3\u5e93/\u5305\u5df2\u542f\u7528\u5e76\u5904\u4e8e\u53d7\u5f71\u54cd\u7248\u672c\u3002" ], "required_role": "editor-or-admin", "affected_version_assertion": [ "\u9700\u8981\u4ece\u516c\u544a\u3001\u9501\u6587\u4ef6\u3001\u7248\u672c\u9875\u6216\u5173\u4e8e\u9875\u9762\u4eba\u5de5\u786e\u8ba4\u7248\u672c\u547d\u4e2d" ], "trigger_vector": "\u5bf9 `xss` \u5bb6\u65cf\u5165\u53e3\u6295\u9012\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\uff0c\u6bd4\u8f83\u4fee\u590d\u524d\u540e\u5dee\u5f02\u3002", "request_or_ui_path": [ "/admin/editor", "/preview", "/rendered-content" ], "input_shape": "\u53d7\u63a7 HTML/Markdown/\u5bcc\u6587\u672c\u8f93\u5165\uff0c\u89c2\u5bdf\u6e32\u67d3\u4e0a\u4e0b\u6587\u662f\u5426\u5931\u53bb\u7f16\u7801\u6216\u51c0\u5316\u3002", "expected_unsafe_behavior": "\u8f93\u5165\u5728\u76ee\u6807\u4e0a\u4e0b\u6587\u6267\u884c\u6216\u88ab\u6d4f\u89c8\u5668\u89e3\u91ca\u4e3a\u4e3b\u52a8\u5185\u5bb9\u3002", "server_evidence_points": [ "\u5e94\u7528\u65e5\u5fd7\u4e2d\u7684\u547d\u4e2d\u8def\u5f84\u3001\u9274\u6743\u51b3\u7b56\u548c\u5f02\u5e38\u6808", "\u53cd\u5411\u4ee3\u7406\u6216\u8fb9\u754c\u5c42\u65e5\u5fd7\u4e2d\u7684\u8bf7\u6c42\u5934\u3001\u6765\u6e90 IP \u4e0e\u8def\u7531\u51b3\u7b56" ], "browser_evidence_points": [ "\u57fa\u7ebf\u622a\u56fe\u4e0e\u653b\u51fb\u540e\u622a\u56fe\u7684 DOM/\u89c6\u89c9\u5dee\u5f02", "console\u3001network \u4e0e response metadata \u4e2d\u7684\u5f02\u5e38\u4fe1\u53f7" ], "db_or_fs_evidence_points": [ "\u6570\u636e\u5e93\u4e2d\u65b0\u589e/\u8d8a\u6743\u8bfb\u53d6\u7684\u6d4b\u8bd5\u6570\u636e", "\u6587\u4ef6\u7cfb\u7edf\u4e2d\u65b0\u589e\u4e0a\u4f20\u6837\u672c\u3001\u7f13\u5b58\u6761\u76ee\u6216\u8d8a\u6743\u8bfb\u53d6\u75d5\u8ff9" ], "detection_signals": [ "WAF / reverse proxy \u5f02\u5e38\u65e5\u5fd7\u3001\u8bbf\u95ee\u65e5\u5fd7\u548c\u544a\u8b66", "\u5e94\u7528\u5ba1\u8ba1\u65e5\u5fd7\u4e2d\u7684\u6743\u9650\u9519\u8bef\u3001\u91cd\u5b9a\u5411\u5f02\u5e38\u3001\u6a21\u677f\u6e32\u67d3\u6216\u4e0a\u4f20\u843d\u76d8\u4e8b\u4ef6" ], "mitigation_summary": "\u4f18\u5148\u5347\u7ea7\u5230\u4fee\u590d\u7248\u672c\uff0c\u5e76\u540c\u65f6\u6536\u7d27\u8f93\u5165\u6821\u9a8c\u3001\u670d\u52a1\u7aef\u9274\u6743\u3001\u4ee3\u7406\u4fe1\u4efb\u8fb9\u754c\u3001\u6269\u5c55\u5b89\u88c5\u4fe1\u4efb\u548c\u5ba1\u8ba1\u65e5\u5fd7\u3002", "patch_validation_steps": [ "\u786e\u8ba4\u76ee\u6807\u7248\u672c\u4ece `\u53d7\u5f71\u54cd\u7248\u672c\u533a\u95f4` \u5347\u7ea7\u6216\u56de\u79fb\u5230 `\u4fee\u590d\u7248\u672c`\u3002", "\u4fdd\u7559\u540c\u4e00\u7ec4\u53d7\u63a7\u8f93\u5165\uff0c\u5728\u4fee\u590d\u524d\u540e\u5206\u522b\u6267\u884c\u5e76\u6bd4\u5bf9\u54cd\u5e94\u3001\u65e5\u5fd7\u4e0e\u6d4f\u89c8\u5668\u8bc1\u636e\u3002", "\u786e\u8ba4\u4fee\u590d\u540e\u4ec5\u4fdd\u7559\u9884\u671f\u4e1a\u52a1\u884c\u4e3a\uff0c\u4e0d\u518d\u89e6\u53d1\u8d8a\u6743\u3001\u56de\u663e\u3001\u5f02\u5e38\u6e32\u67d3\u6216\u9519\u8bef\u8bf7\u6c42\u3002", "\u8865\u5145 `xss` \u65cf\u81ea\u52a8\u5316\u56de\u5f52\uff0c\u907f\u514d\u540c\u7c7b\u8def\u5f84\u5728\u63d2\u4ef6\u3001\u4e3b\u9898\u6216\u4ee3\u7406\u94fe\u4e2d\u56de\u5f52\u3002" ], "lab_safety_notes": [ "\u53ea\u4f7f\u7528\u56de\u73af\u5730\u5740\u3001\u54e8\u5175\u76ee\u6807\u3001\u65e0\u5bb3\u6837\u672c\u6216\u53ef\u56de\u6eda\u6d4b\u8bd5\u6570\u636e\u3002", "\u7981\u6b62\u9020\u6210\u6301\u4e45\u7834\u574f\u3001\u8d8a\u6743\u4e0b\u8f7d\u771f\u5b9e\u6570\u636e\u6216\u4e0d\u53ef\u56de\u6eda side effect\u3002", "\u5982\u9700\u6d4f\u89c8\u5668\u8bc1\u636e\uff0c\u4fdd\u7559 baseline / proof \u4e24\u4efd\u5feb\u7167\u4ee5\u53ca console / network \u8bb0\u5f55\u3002" ], "review_state": "needs-version-gap-review" }, "verification_status": "triage-manual", "verification_mode": "synthetic", "last_verified_at": null, "last_run_id": null, "evidence_bundle": null, "historical_status": null, "latest_status": null, "browser_evidence": { "required": false, "present": false, "refs": [] }, "repro_profile_id": "xss-generic", "artifact_mode": "synthetic", "blocked_reason": null, "metadata": { "source_names": [ "GitLab Security Releases Atom" ], "source_kinds": [ "atom-feed" ], "candidate_count": 1, "entity_ref_count": 1, "advisory_scope": "core", "version_confidence": "low", "workflow_id": "gitlab-ce--c9ed3b92bd--workflow" } }