GitLab Patch Release: 18.9.2, 18.8.6, 18.7.6

On March 11, 2026, we released versions 18.9.2, 18.8.6, 18.7.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.

GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.

For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.

We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.

Recommended Action

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.

Security fixes

Table of security fixes

CVE-2026-1090 - Cross-site Scripting issue in Markdown placeholder processing impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an authenticated user, when the markdown_placeholders feature flag was enabled, to inject JavaScript in a browser due to improper sanitization of placeholder content in markdown processing.

Impacted Versions: GitLab CE/EE: all versions from 10.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N)

Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-1069 - Denial of Service issue in GraphQL API impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an unauthenticated user to cause a denial of service condition by sending specially crafted GraphQL requests due to uncontrolled recursion under certain circumstances.

Impacted Versions: GitLab CE/EE: all versions from 18.9 before 18.9.2
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program

CVE-2025-13929 - Denial of Service issue in repository archive endpoint impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an unauthenticated user to cause a denial of service condition by issuing specially crafted requests to repository archive endpoints under certain conditions.

Impacted Versions: GitLab CE/EE: all versions from 10.0 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program

CVE-2025-14513 - Denial of Service issue in protected branches API impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an unauthenticated user to cause a denial of service condition due to improper input validation when processing specially crafted JSON payloads in the protected branches API.

Impacted Versions: GitLab CE/EE: all versions from 16.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program

CVE-2025-13690 - Denial of Service issue in webhook custom headers impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an authenticated user to cause a denial of service condition due to improper input validation on webhook custom header names under certain conditions.

Impacted Versions: GitLab CE/EE: all versions from 16.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Thanks sim4n6 for reporting this vulnerability through our HackerOne bug bounty program

CVE-2025-12576 - Denial of Service issue in webhook endpoint impacts GitLab CE/EE

GitLab has remediated an issue that under certain conditions could have allowed an authenticated user to cause a denial of service condition due to improper handling of webhook response data.

Impacted Versions: GitLab CE/EE: all versions from 9.3 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Thanks sim4n6 for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-3848 - Improper Neutralization of CRLF Sequences issue impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an authenticated user to make unintended internal requests through proxy environments under certain conditions due to improper input validation in import functionality.

Impacted Versions: GitLab CE/EE: all versions from 8.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

Thanks shells3c for reporting this vulnerability.

CVE-2025-12555 - Improper Access Control issue in runners API impacts GitLab CE/EE

GitLab has remediated an issue that, under certain conditions, could have allowed an authenticated user to access previous pipeline job information on projects with repository and CI/CD disabled due to improper authorization checks.

Impacted Versions: GitLab CE/EE: all versions from 15.1 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Thanks iamgk808 for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-0602 - Improper Access Control issue in snippet rendering impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an authenticated user to disclose metadata from private issues, merge requests, epics, milestones, or commits due to improper filtering in the snippet rendering process under certain circumstances.

Impacted Versions: GitLab CE/EE: all versions from 15.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Thanks go7f0 for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-1732 - Information Disclosure issue in inaccessible issues impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an authenticated user to disclose confidential issue titles due to improper filtering under certain circumstances.

Impacted Versions: GitLab CE/EE: all versions from 12.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Thanks modhanami for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-1663 - Missing Authorization issue in Group Import impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an authenticated user with group import permissions to create labels in private projects due to improper authorization validation in the group import process under certain circumstances.

Impacted Versions: GitLab CE/EE: all versions from 14.4 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

Thanks go7f0 for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-1230 - Incorrect Reference issue in repository download impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an authenticated user to cause repository downloads to contain different code than displayed in the web interface due to incorrect validation of branch references under certain circumstances.

Impacted Versions: GitLab CE/EE: all versions from 1.0 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 4.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N)

Thanks st4nly0n for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-1182 - Information Disclosure issue in confidential issues impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an authenticated user to gain unauthorized access to confidential issue titles created in public projects under certain circumstances.

Impacted Versions: GitLab CE/EE: all versions from 8.14 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 4.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program

CVE-2025-12704 - Incorrect Authorization issue in Virtual Registry impacts GitLab EE

GitLab has remediated an issue that could have allowed an authenticated user to access Virtual Registry data in groups where they are not members due to improper authorization under certain conditions.

Impacted Versions: GitLab EE: all versions from 18.2 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)

Thanks mateuszek for reporting this vulnerability through our HackerOne bug bounty program

CVE-2025-12697 - Improper Escaping of Output issue in Datadog integration impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an authenticated user with maintainer-role permissions to reveal Datadog API credentials under certain conditions.

Impacted Versions: GitLab CE/EE: all versions from 15.5 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 2.2 (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N)

Thanks shells3c for reporting this vulnerability through our HackerOne bug bounty program

Bug fixes

18.9.2

• Fix GitLab base caching (Backport 18.9)
• config: Add configuration to control GOMAXPROCS [backport to 18.9]
• Backport of ‘Fix test pollution from simulate_saas rake task’
• Backport of ‘Add backtrace to placeholder user reassignment failure logs’
• [Backport 18.9] Update bitbucket cloud importer to fetch workspace scoped repositories
• Backport of “Remove old DAP troubleshooting docs”
• Backport BBM - Fix helper with single record
• [18.9] Backport of ‘Reduce logs by ConcurrencyLimit::WorkerExecutionTracker’
• Backport of Reduce batch size for text-embedding-005 requests
• [Backport]- Fix transpilers for zoekt filters
• Backport of ‘Fix exclude types in session query’
• [Backport]- Skip param validation for MCP requests
• Backport of 591296 Historical Addon Assignments - Ignore Namespace Path For SM
• Backport of ‘Handle Jira Server/Data Center Issue pagination’ (18.9)
• Backport ‘Improve Deployments and Size quota specs for clarity and consistency’ to 18-9-stable-ee
• Backport- Code search returns no results at intermediate group level
• Backport of ‘Move ConcurrencyLimit::ResumeWorker cron config to CE’
• Backport of ‘Extend package migrate task to metadata caches and symbols’
• Backport of ‘Stop unblocking policy approvals when security jobs get canceled’
• Backport of Revert “Clean up gpg_commit_delegate_to_signature feature flag”
• Support default AI access rules - Backport of 225728
• Backport of ‘Fix maintainers editing when they own a fork’
• [18-9-stable] Remove release instance deployment trigger from Ubuntu-20.04-staging job
• [18.9] Backport Mattermost Security Updates February 18, 2026
• Backport: Simplify pg-upgrade initdb by removing locale parameters
• [18.9] Patch io-event gem to drop epoll_pwait2 check for RedHat 9

18.8.6

• Backport Go 1.25.7 to 18.8 Stable
• Fix GitLab base caching (Backport 18.8)
• Backport of “fix(bug): Schema check should not fail when ClickHouse DB is uninitialized”
• config: Add configuration to control GOMAXPROCS [backport to 18.8]
• 18.8 Backport of ‘Fix PipelineSecurityReportFindings query timeout’
• Backport 18.8 - CI - Token used for release environments
• Handle RecordInvalid in SyncProjectPolicyWorker
• [Backport 18.8] Update bitbucket cloud importer to fetch workspace scoped repositories
• [18.8] Backport of ‘Reduce logs by ConcurrencyLimit::WorkerExecutionTracker’
• Backport BBM - Fix helper with single record
• Backport of ‘Fix Duo sidebar absent for user with Agentic Chat access but without Classic Chat access’
• [Backport]- Fix transpilers for zoekt filters
• Backport of 591296 Historical Addon Assignments - Ignore Namespace Path For SM
• Backport of ‘Handle Jira Server/Data Center Issue pagination’
• Backport ‘Improve Deployments and Size quota specs for clarity and consistency’ to 18-8-stable-ee
• Backport- Code search returns no results at intermediate group level
• Backport of ‘Move ConcurrencyLimit::ResumeWorker cron config to CE’
• Support default AI access rules - Backport of 225728
• Backport Go 1.25.7 to GitLab 18.8
• [18-8-stable] Remove release instance deployment trigger from Ubuntu-20.04-staging job
• [18.8] Mattermost Security Updates February 18, 2026
• [18.8] Patch io-event gem to drop epoll_pwait2 check for RedHat 9

18.7.6

• Backport Go 1.25.7 to 18.7 Stable
• Fix GitLab base caching (Backport 18.7)
• Backport 18.7 - CI - Token used for release environments
• Handle RecordInvalid in SyncProjectPolicyWorker
• [Backport 18.7] Update bitbucket cloud importer to fetch workspace scoped repositories
• [18.7] Backport of ‘Reduce logs by ConcurrencyLimit::WorkerExecutionTracker’
• [Backport]- Fix transpilers for zoekt filters
• Backport- Code search returns no results at intermediate group level
• Backport of 591296 Historical Addon Assignments - Ignore Namespace Path For SM
• Backport of ‘Handle Jira Server/Data Center Issue pagination’
• Backport ‘Improve Deployments and Size quota specs for clarity and consistency’ to 18-7-stable-ee
• Backport of ‘Move ConcurrencyLimit::ResumeWorker cron config to CE’
• [18.7] Fix image resizing assertion logic for RTE
• Backport Go 1.25.7 to GitLab 18.7
• [18-7-stable] Remove release instance deployment trigger from Ubuntu-20.04-staging job
• [18.7] Backport Mattermost Security Updates February 18, 2026
• [18.7] Patch io-event gem to drop epoll_pwait2 check for RedHat 9

Important notes on upgrading

This patch includes database migrations that may impact your upgrade process.

Impact on your installation:

• Single-node instances: This patch will cause downtime during the upgrade as migrations must complete before GitLab can start.
• Multi-node instances: With proper zero-downtime upgrade procedures, this patch can be applied without downtime.

Regular migrations

The following versions include regular migrations that run during the upgrade process:

• 18.9.2
• 18.8.6

To learn more about the impact of upgrades on your installation, see:

• Zero-downtime upgrades for multi-node deployments
• Standard upgrades for single-node installations

Updating

To update GitLab, see the Update page. To update GitLab Runner, see the Updating the Runner page.

Receive Patch Notifications

To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.