GitLab Patch Release: 18.11.3, 18.10.6, 18.9.7
On May 13, 2026, we released versions 18.11.3, 18.10.6, 18.9.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
Recommended Action
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.
Security fixes
Table of security fixes
CVE-2026-7481 - Cross-site Scripting issue in Analytics dashboard chart rendering impacts GitLab EE
GitLab has remediated an issue that could have allowed an authenticated user with developer-role permissions to execute arbitrary JavaScript in other users’ browsers due to improper input sanitization.
Impacted Versions: GitLab EE: all versions from 16.4 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3
CVSS 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N)
Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program
CVE-2026-5297 - Cross-site Scripting issue in global search impacts GitLab CE/EE
GitLab has remediated an issue that could have allowed an authenticated user to execute arbitrary JavaScript in other users’ browsers due to improper input sanitization.
Impacted Versions: GitLab CE/EE: all versions from 15.11 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3
CVSS 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N)
This vulnerability has been discovered internally by GitLab team member Chaoyue Zhao and special thanks to a_m_a_m for reporting this vulnerability through our HackerOne bug bounty program
CVE-2026-6073 - Cross-site Scripting issue in Duo Agent output rendering impacts GitLab EE
GitLab has remediated an issue that could have allowed an authenticated user to execute arbitrary JavaScript in other users’ browsers due to improper input sanitization.
Impacted Versions: GitLab EE: all versions from 18.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3
CVSS 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N)
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program
CVE-2026-7377 - Cross-site Scripting issue in Analytics Dashboard impacts GitLab EE
GitLab has remediated an issue that, in customizable analytics dashboards, could have allowed an authenticated user to execute arbitrary JavaScript in the context of other users’ browsers due to improper input sanitization.
Impacted Versions: GitLab EE: all versions from 18.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3
CVSS 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N)
Thanks aphantom for reporting this vulnerability through our HackerOne bug bounty program
CVE-2026-1659 - Denial of Service issue in CI/CD job update API impacts GitLab CE/EE
GitLab has remediated an issue that could have allowed an unauthenticated user to cause denial of service by sending specially crafted requests due to insufficient input validation.
Impacted Versions: GitLab CE/EE: all versions from 9.0 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program
CVE-2025-14870 - Denial of Service issue in Duo Workflows API impacts GitLab CE/EE
GitLab has remediated an issue that could have allowed an unauthenticated user to cause denial of service by sending specially crafted JSON payloads due to insufficient input validation.
Impacted Versions: GitLab CE/EE: all versions from 18.5 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program
CVE-2025-14869 - Denial of Service issue in internal API endpoints impacts GitLab CE/EE
GitLab has remediated an issue that could have allowed an unauthenticated user to cause denial of service by sending specially crafted payloads on certain API endpoints.
Impacted Versions: GitLab CE/EE: all versions from 18.5 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program
CVE-2026-1322 - Improper Authorization issue in GraphQL token scope enforcement impacts GitLab CE/EE
GitLab has remediated an issue that could have allowed an authenticated user with a read_api scoped OAuth application to create issues and add comments to issues in private projects due to improper authorization.
Impacted Versions: GitLab CE/EE: all versions from 16.0 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3
CVSS 6.8 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N)
Thanks mateuszek for reporting this vulnerability through our HackerOne bug bounty program
CVE-2026-1184 - Denial of Service issue in Insights Configuration impacts GitLab EE
GitLab has remediated an issue that could have allowed an unauthenticated user to cause denial of service by uploading a specially crafted file due to improper validation.
Impacted Versions: GitLab EE: all versions from 11.9 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program
CVE-2026-4524 - Access Control issue in Issues API impacts GitLab CE/EE
GitLab has remediated an issue that could have allowed an authenticated user to access confidential issue content in public projects without proper authorization due to improper authorization checks.
Impacted Versions: GitLab CE/EE: all versions from 18.9.1 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
Thanks hackaccinocraft for reporting this vulnerability through our HackerOne bug bounty program
CVE-2026-8280 - Denial of Service issue in direct transfer CSV parser impacts GitLab CE/EE
GitLab has remediated an issue that could have allowed an authenticated user to cause denial of service through excessive memory consumption due to improper input validation.
Impacted Versions: GitLab CE/EE: all versions from 8.3 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program
CVE-2026-4527 - CSRF issue in JiraConnect subscriptions impacts GitLab CE/EE
GitLab has remediated an issue that could have allowed an unauthenticated user to create unauthorized Jira subscriptions for a targeted user’s namespace via a specially crafted link due to missing CSRF protection.
Impacted Versions: GitLab CE/EE: all versions from 11.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
Thanks maksyche for reporting this vulnerability through our HackerOne bug bounty program
CVE-2026-3160 - Confused Deputy issue in Jira integration impacts GitLab CE/EE
GitLab has remediated an issue that could have allowed an authenticated user to view Jira issues outside the configured project scope due to an integration filter functioning only as a display control rather than enforcing access boundaries as specified.
Impacted Versions: GitLab CE/EE: all versions from 13.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3
CVSS 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)
Thanks maksyche for reporting this vulnerability through our HackerOne bug bounty program
CVE-2026-6335 - Cross-site Scripting issue in Banzai markdown sanitizer impacts GitLab CE/EE
GitLab has remediated an issue that under certain conditions could have allowed an authenticated user to execute arbitrary code in another user’s browser session due to improper sanitization.
Impacted Versions: GitLab CE/EE: all versions from 18.11 before 18.11.3
CVSS 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Thanks toofikz for reporting this vulnerability through our HackerOne bug bounty program
CVE-2025-12669 - Cross-site Scripting issue in achievement email notifications impacts GitLab CE/EE
GitLab has remediated an issue that could have allowed an authenticated user to inject HTML and JavaScript into email notifications sent to other users due to improper input sanitization.
Impacted Versions: GitLab CE/EE: all versions from 15.11 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3
CVSS 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Thanks ricardobrito for reporting this vulnerability through our HackerOne bug bounty program
CVE-2026-3607 - Access Control issue in Helm package upload impacts GitLab CE/EE
GitLab has remediated an issue that could have allowed an authenticated user with developer-role permissions to bypass package protection rules due to improper access control.
Impacted Versions: GitLab CE/EE: all versions from 18.3 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
Thanks aphantom for reporting this vulnerability through our HackerOne bug bounty program
CVE-2026-3074 - Improper Access Control issue in NuGet Symbol Server impacts GitLab CE/EE
GitLab has remediated an issue that could have allowed an unauthenticated user to download private debugging symbols from inaccessible projects due to improper access control.
Impacted Versions: GitLab CE/EE: all versions from 16.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Thanks sndd for reporting this vulnerability through our HackerOne bug bounty program
CVE-2026-1338 - Improper Access Control issue in Container Registry protected tags impacts GitLab CE/EE
GitLab has remediated an issue that could have allowed an authenticated user with developer-role permissions to delete protected container registry tags due to improper authorization checks.
Impacted Versions: GitLab CE/EE: all versions from 17.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
Thanks go7f0 for reporting this vulnerability through our HackerOne bug bounty program
CVE-2026-8144 - Missing Authorization issue in group user search impacts GitLab CE/EE
GitLab has remediated an issue that could have allowed an authenticated user with project membership to enumerate private group members due to missing authorization checks.
Impacted Versions: GitLab CE/EE: all versions from 15.1 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
This vulnerability has been discovered internally by GitLab team member Terri Chu
CVE-2026-6063 - Improper Access Control issue in code owner approval rules impacts GitLab EE
GitLab has remediated an issue that under certain conditions could have allowed an authenticated user with developer-role permissions to remove code owner approval rules from merge requests due to improper access control.
Impacted Versions: GitLab EE: all versions from 11.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
Thanks pollito for reporting this vulnerability through our HackerOne bug bounty program
CVE-2026-3073 - Access Control issue in PyPI Package Protection Rules impacts GitLab CE/EE
GitLab has remediated an issue that could have allowed an authenticated user with developer-role permissions to bypass PyPI package protection rules and upload restricted packages due to improper authorization checks.
Impacted Versions: GitLab CE/EE: all versions from 17.6 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
Thanks modhanami for reporting this vulnerability through our HackerOne bug bounty program
CVE-2025-13874 - Improper Access Control issue in issue links API impacts GitLab CE/EE
GitLab has remediated an issue that could have allowed an authenticated user with Guest permissions to view issues in projects they were not authorized to access.
Impacted Versions: GitLab CE/EE: all versions from 15.1 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Thanks go7f0 for reporting this vulnerability through our HackerOne bug bounty program
CVE-2026-7471 - Server-Side Request Forgery issue in virtual registry redirect handler impacts GitLab EE
GitLab has remediated an issue that could have allowed an authenticated user with control of a virtual registry upstream to make requests to internal hosts due to improper validation.
Impacted Versions: GitLab EE: all versions from 18.8 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3
CVSS 3.5 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N)
This vulnerability has been discovered internally by GitLab team member Félix Veillette-Potvin
CVE-2026-2900 - Access Control issue in GraphQL approval rule mutations impacts GitLab EE
GitLab has remediated an issue that when instance-level approval rule editing prevention was enabled, could have allowed an authenticated user with Maintainer permissions to modify or delete project approval rules due to missing authorization checks.
Impacted Versions: GitLab EE: all versions from 16.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3
CVSS 2.7 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N)
Thanks modhanami for reporting this vulnerability through our HackerOne bug bounty program
CVE-2026-6883 - Missing Authorization issue in Security Policy Project Reassignment impacts GitLab EE
GitLab has remediated an issue that could have allowed an authenticated user to bypass merge request approval requirements due to improper cleanup of orphaned policy records.
Impacted Versions: GitLab EE: all versions from 15.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3
CVSS 2.6 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N)
This vulnerability has been discovered internally by GitLab team member Alan (Maciej) Paruszewski
Bug fixes
18.11.3
- chore: bump gitlab-zoekt to v1.13.1 on 18-11-stable
- Backport of “Performance optimizations for the license approval rules workflow(behind FF)”
- Backport of ‘Fix CustomFields callback crashing during work item type change’
- [Backport] 18.11: Fix milestone removal upon issue update
- Backport of “Fix groups dashboard inactive tab”
18.10.6
- chore: bump gitlab-zoekt to v1.11.2 on 18-10-stable
- Backport of ‘Downgrade Rugged to 1.7.2 to avoid llhttp collision’
- Backport of “Geo: Fix undefined method ’log_error’ in BlobDownloader”
- Backport of ‘Introduce
read_virtual_registrycustom role ability’ - Backport of ‘Raise permission for test upstream endpoints’
- Backport of Ignore foss predictive in pre-merge check for predictive pipelines
- Backport ‘Fix import_url validation for passwords with special characters’ into 18-10-stable-ee
- Backport of ‘Gate trial CTA’s on FF automatic_self_managed_trial_activation’ into 18.10
- Backport of ‘Fix incorrect flow/agent settings when DAP is disabled’
- Backport GITLAB_ZOEKT_VERSION to 1.11.2
- [18.10] Backport of Fix stale work item ES docs after group transfer
- Fix security MR widget stuck loading
18.9.7
- Backport of praba/release-connections-from-all-hosts and stomlinson/feature-check-dead-connections to 18.9
- Backport of ‘Add Code Suggestion to the DAP supported features for self-hosted models’
- Backport: “Update Duo CLI version for remote flows”
- Backport of “BBM - Skip migrations referencing dropped tables”
- Backport of ‘Fix: self-hosted feature setting missing model_definitions’
- 18.9 Backport of ‘update zlib to 3.2.3’
- Backport ‘Fix import_url validation for passwords with special characters’ into 18-9-stable-ee
- Backport of ‘Fix incorrect flow/agent settings when DAP is disabled’
- [18.9] Backport of Fix stale work item ES docs after group transfer
- Fix security MR widget stuck loading
Important notes on upgrading
This patch includes database migrations that may impact your upgrade process.
Impact on your installation:
- Single-node instances: This patch will cause downtime during the upgrade as migrations must complete before GitLab can start.
- Multi-node instances: With proper zero-downtime upgrade procedures, this patch can be applied without downtime.
Post-deploy migrations
The following versions include post-deploy migrations that can run after the upgrade:
- 18.9.7
To learn more about the impact of upgrades on your installation, see:
- Zero-downtime upgrades for multi-node deployments
- Standard upgrades for single-node installations
Updating
To update GitLab, see the Update page. To update GitLab Runner, see the Updating the Runner page.
Receive Patch Notifications
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.