GitLab released critical security patch updates for versions 18.11.1, 18.10.4, and 18.9.6 on April 22, 2026, addressing 11 vulnerabilities, including three high-severity flaws across both the Community Edition (CE) and Enterprise Edition (EE). All self-managed GitLab administrators are strongly urged to upgrade immediately.
The April 22 patch release is a scheduled security update that resolves a broad attack surface spanning GitLab’s GraphQL API, Web IDE, Storybook environment, discussion endpoints, Jira import functionality, notes API, virtual registry session handling, issue description renderer, Mermaid sandbox, and project fork APIs.
This release is notable for including both regular database migrations and post-deploy migrations, meaning single-node GitLab instances will experience downtime during the upgrade. At the same time, multi-node deployments can leverage zero-downtime upgrade procedures.
GitLab is already running the patched versions, and GitLab Dedicated customers require no action. However, every self-managed installation running versions before 18.9.6, 18.10.4, or 18.11.1 remains exposed to the vulnerabilities detailed below.
CVE-2026-4922 – CSRF in GraphQL API (CVSS 8.1)
The most critical flaw patched in this release is CVE-2026-4922, a Cross-Site Request Forgery (CSRF) vulnerability in GitLab’s GraphQL API carrying a CVSS score of 8.1.
The flaw could allow an unauthenticated attacker to execute GraphQL mutations on behalf of authenticated users due to insufficient CSRF token validation.
This means a malicious actor could trick a logged-in GitLab user into unknowingly performing privileged operations – including modifying code, settings, or CI/CD pipelines simply by visiting a crafted webpage. All GitLab CE/EE versions from 17.0 through 18.11.0 are affected.
CVE-2026-5816 – Path Equivalence in Web IDE (CVSS 8.0)
CVE-2026-5816 is a path-equivalence vulnerability in GitLab’s Web IDE asset delivery, rated High with a CVSS score of 8.0. Improper path validation under certain conditions could allow an unauthenticated user to execute arbitrary JavaScript in a victim’s browser session.
Effectively achieving cross-origin code execution. This flaw affects GitLab CE/EE versions 18.10 through 18.11.0.
CVE-2026-5262 – XSS in Storybook Environment (CVSS 8.0)
A third high-severity flaw, CVE-2026-5262, is a Cross-Site Scripting (XSS) vulnerability affecting GitLab’s integrated Storybook development environment.
Due to improper input validation, an unauthenticated attacker could access authentication tokens exposed in the Storybook UI, potentially leading to full account takeover.
This vulnerability spans a wide range of all GitLab CE/EE versions from 16.1 up to 18.11.0, making it one of the longest-standing unpatched issues addressed in this release.
| CVE ID | Vulnerability Type | Affected Component | Severity |
|---|---|---|---|
| CVE-2026-4922 | Cross-Site Request Forgery (CSRF) | GraphQL API | High |
| CVE-2026-5816 | Improper Path Equivalence / Arbitrary JS | Web IDE Asset | High |
| CVE-2026-5262 | Cross-Site Scripting (XSS) | Storybook Environment | High |
| CVE-2025-0186 | Denial of Service | Discussions Endpoint | Medium |
| CVE-2026-1660 | Denial of Service | Jira Import | Medium |
| CVE-2025-6016 | Denial of Service | Notes Endpoint | Medium |
| CVE-2025-3922 | Denial of Service | GraphQL API | Medium |
| CVE-2026-6515 | Insufficient Session Expiration | Virtual Registry Credentials | Medium |
| CVE-2026-5377 | Improper Access Control | Issue Description Renderer | Medium |
| CVE-2026-3254 | UI Layer/Frame Restriction Bypass | Mermaid Sandbox | Low |
| CVE-2025-9957 | Improper Access Control | Project Fork Relationship API | Low |
Bug Fixes and Infrastructure Updates
Beyond security, this release delivers important stability and infrastructure improvements across all three versions. Key highlights include:
- PostgreSQL upgrades: PostgreSQL 17 updated to 17.8 and PostgreSQL 16 updated to 16.13 across both 18.10 and 18.9 stable branches
- Rack dependency update: Updated to
rack 2.2.23to address upstream dependency vulnerabilities - Geo replication fixes: Resolved concurrency limit worker issues on secondary Geo sites and fixed site validation during outbound request filtering
- Gitaly restart fix: Corrected a service timeout bug when restarting Gitaly in Omnibus deployments
- Zoekt search engine: Bumped to
v1.11.1(18.10) andv1.8.2(18.9) for improved code search indexing
Upgrade Procedure
GitLab recommends that all self-managed administrators upgrade to the latest supported patch version immediately. Use the following guidance:
- Single-node instances: Plan for downtime; database migrations must complete before GitLab restarts.
- Multi-node instances: Follow zero-downtime upgrade procedures to apply the patch without service interruption.
- GitLab Runner: Update separately via the Runner update page.
FAQ
Q1: Who is affected by the GitLab April 2026 patch release?
All self-managed GitLab CE/EE installations running versions before 18.9.6, 18.10.4, or 18.11.1 are affected and must upgrade immediately.
Q2: Does the patch cause downtime?
Single-node GitLab instances will experience downtime during migration, while multi-node deployments can upgrade with zero downtime using official procedures.
Q3: What is the most critical vulnerability fixed in this release?
CVE-2026-4922 (CVSS 8.1), a CSRF flaw in the GraphQL API, is the most severe, allowing unauthenticated attackers to execute mutations on behalf of authenticated users.
Q4: Are GitLab.com and GitLab Dedicated users impacted?
No, GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take any action.
Site: thecybrdef.com
About the Author
