GitLab has released critical security updates for both its Enterprise Edition (EE) and Community Edition (CE) to address a cluster of vulnerabilities.
Chief among these are two high-severity flaws carrying a CVSS score of 8.7 that could facilitate account takeover and arbitrary code execution.
The security patches are rolled into versions 19.0.2, 18.11.5, and 18.10.8. Organizations utilizing affected installations are strongly advised to update immediately to mitigate the risk of unauthorized access, service disruption, and data exfiltration.
The release resolves 12 documented vulnerabilities ranging from high-severity authorization bypasses to low-severity improper input handling. Below is a comprehensive breakdown of the patched CVEs:
| CVE Identifier | Vulnerability Type | Impacted Editions | Max CVSS Score |
| CVE-2026-6552 | Improper Access Control (Group SAML) | GitLab EE | 8.7 (High) |
| CVE-2026-10087 | Cross-Site Scripting (Analytics Dashboard) | GitLab EE | 8.7 (High) |
| CVE-2026-7250 | Denial of Service (Grape API JSON Parsing) | GitLab CE/EE | 7.5 (High) |
| CVE-2026-8589 | HTML Injection (Group Setting Fields) | GitLab EE | 7.3 (High) |
| CVE-2026-1500 | Denial of Service (Placeholder Reassignments) | GitLab CE/EE | 6.5 (Medium) |
| CVE-2026-6269 | Improper Access Control (Merge Requests API) | GitLab CE/EE | 5.4 (Medium) |
| CVE-2026-9204 | Server-Side Request Forgery (Gitaly Import) | GitLab CE/EE | 5.3 (Medium) |
| CVE-2026-10733 | HTML Injection (CI/CD Catalog DoS) | GitLab CE/EE | 4.3 (Medium) |
| CVE-2026-6277 | Improper Access Control (Security Inventory) | GitLab EE | 4.3 (Medium) |
| CVE-2026-6976 | Authorization Bypass (Merge Request Diff) | GitLab CE/EE | 3.7 (Low) |
| CVE-2026-3553 | Improper Access Control (Todos API) | GitLab CE/EE | 3.1 (Low) |
| CVE-2026-9694 | Improper Neutralization (Service Desk Email) | GitLab CE/EE | 2.6 (Low) |
This vulnerability represents the most acute threat in this release cycle. An improper authorization flaw within the Group SAML identity management functionality allows an authenticated attacker possessing the Group Owner role to hijack the accounts of other group members under specific configurations.
Because SAML is heavily relied upon for Single Sign-On (SSO) in enterprise environments, exploiting this defect could grant malicious actors wide-ranging access to corporate code repositories.
- Impacted Versions: GitLab EE versions 15.5 through 18.10.7, 18.11.x prior to 18.11.5, and 19.0.x prior to 19.0.2.
A flaw stemming from inadequate input sanitization in GitLab’s Analytics Dashboard can be exploited by an authenticated user with standard Developer-role privileges.
Attackers can inject malicious scripts into the dashboard interface. When a targeted victim views the compromised dashboard, the arbitrary client-side code executes seamlessly within their session context, potentially leading to credential harvesting, session hijacking, or unauthorized administrative actions.
- Impacted Versions: GitLab EE versions 17.1 through 18.10.7, 18.11.x prior to 18.11.5, and 19.0.x prior to 19.0.2.
- CVE-2026-7250 (CVSS 7.5): A dangerous flaw in the Grape API’s JSON parsing middleware allows an unauthenticated, remote attacker to trigger a Denial of Service (DoS) condition via improper input validation.
- CVE-2026-1500 (CVSS 6.5): An authenticated user can consume system resources uncontrollably by processing a specially crafted file upload through the Group Placeholder Reassignments API, inducing localized server crashes.
- CVE-2026-8589 (CVSS 7.3): This HTML injection vulnerability enables high-privileged attackers to append unauthorized email addresses to a targeted user’s account profile via manipulated group settings fields due to poor input validation.
- CVE-2026-6269 (CVSS 5.4): Flawed authorization enforcement in the Merge Requests API permits users with Developer-role permissions to view and modify hidden or restricted merge requests.
- CVE-2026-9204 (CVSS 5.3): A Server-Side Request Forgery (SSRF) flaw inside the Gitaly repository import function fails to validate secondary URLs adequately. This permits internal network resource enumeration and the reading of arbitrary local files directly from the Gitaly server.
Beyond the immediate security fixes, this release incorporates stability and dependency updates backported across stable branches.
├── Security Fixes (CVE-2026-6552, CVE-2026-10087, etc.)
└── System Adjustments
├── Security Dependency Bumps (ruby-jwt to 2.10.3, oj to v3.17.3)
├── Infrastructure (Golang upgraded to 1.25.9, Container Registry to v4.40.1)
├── Geo & Syncing (Fixes for OCI image indexes container repository sync)
└── Platform Protection (Enhanced DNS rebinding checks in VirtualRegistries)
Notable backports include an upgrade of the core container registry binary to version v4.40.1-gitlab for the 19.0 stable line, alongside essential Ruby gem bumps such as ruby-jwt to address secondary threat surfaces. Furthermore, system architectures running on Ubuntu 22.04 FIPS receive performance compliance enhancements under version 18.11.5.
Administrators must plan their patch deployments carefully, as this release contains active database migrations that introduce distinct operational impacts depending on infrastructure typography.
Upgrading a single-node setup will incur unavoidable downtime. The application process will halt incoming traffic while executing the mandatory database migrations before the updated GitLab services can safely restart.
For clustered or multi-node infrastructures, zero-downtime upgrades are achievable. Admins must systematically execute the standard zero-downtime upgrade sequence, updating the primary node and secondary nodes progressively while leaving the post-deploy migrations to execute gracefully in the background.
Crucial Post-Deploy Migration Note: Versions 19.0.2 and 18.11.5 include database migrations that can safely execute post-upgrade. Do not force-cancel background migration workers immediately following the package installation.
With critical threat vectors like SAML account takeovers and Grape API-driven denial of service fixed in this batch, ignoring these updates poses an active threat to supply-chain integrity.
Security teams should inventory their self-hosted GitLab environments and deploy versions 19.0.2, 18.11.5, or 18.10.8 immediately.
FAQ
Q1: What are the exact secure versions of GitLab I need to upgrade to?
To fully protect your environment, you must upgrade your installation to GitLab version 19.0.2, 18.11.5, or 18.10.8 depending on your current release branch.
Q2: Can CVE-2026-6552 be exploited if we do not use Group SAML for authentication?
No, this specific account takeover vulnerability only impacts GitLab Enterprise Edition instances that have active Group SAML identity management configured.
Q3: Will applying this security update cause downtime for my developer teams?
Single-node instances will experience downtime due to required database migrations, whereas multi-node environments can achieve zero downtime if standard upgrade protocols are followed.
Q4: Who discovered the high-severity vulnerabilities resolved in this security release?
The account takeover flaw was reported by security researcher cyberjoker, and the dashboard cross-site scripting flaw was discovered by yvvdwf via HackerOne.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
