GitLab, the popular DevOps platform, has taken significant steps to bolster its security posture by releasing emergency patches that address 11 vulnerabilities within its Community Edition (CE) and Enterprise Edition (EE). Among these vulnerabilities, three have been categorized as high-severity flaws that pose considerable risks to users. These critical issues have the potential to enable attackers to execute malicious code, forge requests, and steal user session tokens, highlighting the urgent need for updates.
On April 22, 2026, GitLab unveiled versions 18.11.1, 18.10.4, and 18.9.6 that include fixes for the aforementioned vulnerabilities. GitLab.com has already undergone an automatic update, eliminating the need for action from its users. However, organizations using self-managed GitLab installations are strongly advised to upgrade to one of the patched versions immediately due to the critical nature of the vulnerabilities.
High-Severity Vulnerabilities
The three high-severity vulnerabilities warrant immediate remediation due to their potential impact.
-
CVE-2026-4922 (CVSS 8.1): This flaw involves a Cross-Site Request Forgery (CSRF) vulnerability within the GraphQL API. An unauthenticated attacker could exploit this inadequacy to execute GraphQL mutations without the user’s consent, effectively hijacking their ongoing session actions. This vulnerability affects all GitLab versions from 17.0 up to 18.9.6.
-
CVE-2026-5816 (CVSS 8.0): An improper path validation issue in the Web Integrated Development Environment (IDE) allows unauthenticated users to execute arbitrary JavaScript within a victim’s browser session. This flaw could lead to full session hijacking, affecting versions from 18.10 prior to the release of 18.10.4.
- CVE-2026-5262 (CVSS 8.0): This is a Cross-Site Scripting (XSS) vulnerability found within the Storybook development environment. It could expose authentication tokens to unauthenticated users due to inadequate input validation, impacting versions from 16.1 onward.
To provide a clearer understanding, a table summarizes these vulnerabilities along with their respective details, including severity levels, CVSS scores, and affected versions.
In addition to the high-severity vulnerabilities, GitLab has also addressed several medium-severity issues. Four Denial-of-Service (DoS) vulnerabilities were patched, including CVE-2025-0186, CVE-2025-6016, and CVE-2025-3922, all of which carry a CVSS score of 6.5. These enable authenticated users to deplete server resources by sending crafted requests to various endpoints. Moreover, CVE-2026-1660 allows authenticated users to trigger a DoS condition during Jira issue imports due to improper input validation.
Another medium-severity issue, identified as CVE-2026-6515 (CVSS 5.4), involves insufficient session expiration. It was internally discovered by a GitLab team member, David Fernandez, indicating that invalidated or improperly scoped credentials could still be exploited to gain unauthorized access to Virtual Registries.
Furthermore, two additional access control issues were patched. CVE-2026-5377 allowed unauthorized users to view confidential issue titles, while CVE-2025-9957 enabled users to bypass group fork prevention policies.
As a proactive measure, GitLab emphatically urges all self-managed administrators to upgrade to one of the patched versions—18.11.1, 18.10.4, or 18.9.6—without delay. The potential risks associated with these vulnerabilities underscore the importance of maintaining an up-to-date and secure system.
Most of the vulnerabilities were disclosed responsibly through GitLab’s HackerOne bug bounty program, with researchers such as ahacker1, joaxcar, and pwnie contributing to their identification. Security advisories for each flaw are scheduled for public release on GitLab’s issue tracker 30 days after the patch release date, ensuring transparency and allowing users to remain informed about the vulnerabilities they may face.
In summary, GitLab’s recent patch release is a pivotal step in safeguarding user data and enhancing the overall security of its platform. The organization’s prompt response underscores its commitment to providing a secure environment, encouraging users to act swiftly in updating their systems to mitigate any potential threats.