π―GitLab found some serious problems in its software that could let bad guys sneak in or cause crashes. They fixed these issues and released new versions. If you use GitLab, you need to update to stay safe!
What Happened
On March 11, 2026, GitLab released a critical security advisory to inform users about vulnerabilities in its software. This advisory affects both the Community Edition (CE) and Enterprise Edition (EE) of GitLab. Specifically, versions prior to 18.10.3, 18.9.5, 18.8.9, 18.9.2, 18.8.6, and 18.7.6 are at risk. Additionally, a subsequent advisory published on April 22, 2026, extends the affected versions to include those prior to 18.11.1, 18.10.4, and 18.9.6.
The vulnerabilities could potentially expose sensitive data or allow unauthorized access. GitLab is urging all users and administrators to take immediate action by updating to the latest patched versions. The new releases include 18.10.3, 18.9.5, 18.8.9, as well as the more recent updates: 18.11.1, 18.10.4, and 18.9.6, which address these security issues directly.
High-Severity Vulnerabilities
The latest security updates resolve three high-severity bugs:
- CVE-2026-5173 (CVSS 8.5): An authenticated attacker could execute unintended server-side commands through WebSocket connections due to improper access controls.
- CVE-2026-1092 (CVSS 7.5): An unauthenticated user could trigger a Denial of Service attack by submitting improperly validated JSON data to the Terraform state lock API.
- CVE-2025-12664 (CVSS 7.5): Attackers without an account could cause a DoS condition by overwhelming the server with repeated GraphQL queries.
Additionally, several medium-level vulnerabilities were addressed, including:
- CVE-2026-1516 (CVSS 5.7): An authenticated user could inject malicious code into Code Quality reports, leaking the IP addresses of other users.
- CVE-2026-1403 (CVSS 6.5): Weak validation of CSV files could allow authenticated users to crash background Sidekiq workers during file import.
New Features in GitLab 18.11
In conjunction with the security advisory, GitLab has also launched GitLab 18.11, which introduces agentic AI features aimed at enhancing security remediation and improving CI pipelines. This update includes:
Agentic SAST Vulnerability Resolution
New Agents for CI and Analytics
Why Should You Care
If you're using GitLab, this advisory is crucial for your security. Ignoring these updates could leave your projects vulnerable to attacks. Think of it like leaving your front door unlocked; you wouldn't want anyone to just walk in.
By keeping your software updated, you protect not only your own data but also the data of your collaborators. In today's digital age, where breaches can lead to severe consequences, ensuring your tools are secure is essential. Don't wait for a breach to happen; update your GitLab versions now!
What's Being Done
GitLab has already released patches to fix the identified vulnerabilities. Hereβs what you should do right now:
- Update to the latest versions: 18.11.1, 18.10.4, 18.9.6, 18.10.3, 18.9.5, or 18.8.9.
- Review the security advisory for detailed information on the vulnerabilities.
- Encourage your team to stay informed about future updates.
Experts are closely monitoring the situation to ensure no new exploits arise from these vulnerabilities. Users hosted on GitLab.com or using GitLab Dedicated are already safe, as the company has applied the patches to its cloud servers. Stay vigilant and keep your software updated.
With the recent updates, GitLab is not only addressing critical vulnerabilities but also enhancing its platform with AI-driven features for better security management. Users must prioritize these updates to safeguard their projects.
