GitLab Patch Release: 19.0.1, 18.11.4, 18.10.7

On May 27, 2026, we released versions 19.0.1, 18.11.4, 18.10.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.

GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.

For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.

We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.

Recommended Action

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.

Security fixes

Table of security fixes

CVE-2026-4868 - Improper Access Control issue in Duo AI workflow runners impacts GitLab EE

GitLab has remediated an issue that, under certain conditions, could have allowed an authenticated user to cause specific Duo AI workflows to run under another user’s identity due to improper user identity resolution when triggering Duo AI workflow runners.

Impacted Versions: GitLab EE: all versions from 18.8 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1
CVSS 8.2 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N)

Thanks ahacker1 for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-1402 - Denial of Service issue in Wiki impacts GitLab CE/EE

GitLab has remediated an issue that under certain conditions could have allowed an authenticated user to cause denial of service due to insufficient validation.

Impacted Versions: GitLab CE/EE: all versions from 17.1 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-6713 - Incorrect Authorization issue in GraphQL WorkItem API impacts GitLab CE/EE

GitLab has remediated an issue that under certain conditions could have allowed an unauthorized user to enumerate private projects due to incorrect authorization checks.

Impacted Versions: GitLab CE/EE: all versions from 18.2 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1
CVSS 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Thanks pollito for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-5296 - Improper Authorization issue in Duo Workflows API impacts GitLab EE

GitLab has remediated an issue that when foundational flows were enabled at the group level, could have allowed an authenticated user with developer-role permissions to bypass flow restrictions under certain conditions.

Impacted Versions: GitLab EE: all versions from 18.7 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

Thanks rogerace for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-2601 - Missing Authorization issue in Operations impacts GitLab EE

GitLab has remediated an issue that under certain conditions could have allowed an authenticated user with developer-role permissions to access sensitive deployment data on projects due to improper authorization checks.

Impacted Versions: GitLab EE: all versions from 11.5 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Thanks modhanami for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-8716 - Incorrect Name Resolution issue in Pipelines impacts GitLab CE/EE

GitLab has remediated an issue that under certain conditions could have allowed an authenticated user to access CI data from a different ref type than intended.

Impacted Versions: GitLab CE/EE: all versions from 12.7 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

This vulnerability has been discovered internally by GitLab team member Hordur Freyr Yngvason

CVE-2026-2710 - Incorrect Authorization issue in certain authentication endpoints impacts GitLab CE/EE

GitLab has remediated an issue that under certain conditions could have allowed a blocked Project Access Token to continue accessing private resources due to incorrect authorization enforcement.

Impacted Versions: GitLab CE/EE: all versions from 18.9 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Thanks s4dmach1ne for reporting this vulnerability through our HackerOne bug bounty program

Bug fixes

19.0.1

• Backport ‘Remove Helm based release environment QA’ to 19-0-stable-ee
• Backporting 19.0 final release notes
• Backport of ‘Fix broken trial CTAs on SM GitLab Credits dashboard’ into 19-0-stable-ee
• Backport API Security remediation guidance release note to 19-0-stable-ee
• Backport of ‘Add write option for Repositories in job token fine-grained permissions’ to 19.0

18.11.4

• Backport ‘Add Ruby thread scheduler priority patch’ to 18.11
• Bump GITLAB_ELASTICSEARCH_INDEXER_VERSION to 5.14.7
• Revert “backchannel: remove hashicorp yamux in favor of libp2p yamux”
• [18.11] Backport of Gate commit traversal_ids behind AddTraversalIdsToCommits migration
• Backport “Fix comments lost when moving wiki page”
• Backport of ‘Allow subgroup-provisioned SAs to create subgroups’ to 18.11
• Backport: Update Zlib to 3.2.3
• Backport of ‘Fix SyncPolicyWorker timeout on linked root namespaces’ to 18.11
• Backport of ‘Fixes dropping successful builds’
• Backport of Fixed flaky CI Catalog Resource name filter happy path spec
• Backport of Added waits to traces and cancel pipeline in after block
• Backport of ‘Add ai_workflows scope’
• Backport of Fix swimlane problem
• Backport of Fix flaky new_project_spec CI/CD from repo URL test to 18-11
• Backport of ‘Send allowed endpoints to Workhorse for diagram proxy’
• [18.11] Backport of ‘Use primary DB connection for advanced search bulk indexer’
• Backport of “Performance optimizations for the license approval rules workflow(behind FF)”
• Backport of ‘Bump gitlab-shell version to 14.50.0’
• Backport of ‘Fix off-by-one error in when num_context_lines=0’
• [18.11] Backport of ‘Fix epic boards flaky specs’
• Backport ‘Remove Helm based release environment QA’ to 18-11-stable-ee
• Backport of ‘Fix broken trial CTAs on SM GitLab Credits dashboard’ to 18.11
• Backport of ‘Gate trial CTA’s using redirect based on FF’ into 18.11
• Backport of ‘Fall back to extracting sequence name from column default’ to 18.11
• Backport ‘Update outdated test certificates’ to 18-11-stable
• Backport ‘Bump nginx to version 1.30.1’ to 18-11
• Backport ‘Add Ruby thread scheduler priority patch’ to 18.11
• [18.11] Mattermost Security Updates May 13, 2026
• [18.11] Mattermost Security Updates May 21, 2026
• Update dependency python to v3.14.4 (backport to 18-11-stable)

18.10.7

• Bump GITLAB_ELASTICSEARCH_INDEXER_VERSION to 5.14.7
• [18.10] Backport of Gate commit traversal_ids behind AddTraversalIdsToCommits migration
• 18.10 Backport of ‘update zlib to 3.2.3’
• Backport of ‘Allow subgroup-provisioned SAs to create subgroups’ to 18.10
• Backport of ‘Fix SyncPolicyWorker timeout on linked root namespaces’ to 18.10
• Backport of Fixed flaky CI Catalog Resource name filter happy path spec
• Backport of Added waits to traces and cancel pipeline in after block
• Backport of ‘Add ai_workflows scope’
• Backport of Fix swimlane problem
• Backport of Fix flaky new_project_spec CI/CD from repo URL test to 18-10
• Backport of “Performance optimizations for the license approval rules workflow(behind FF)”
• [18.10] Backport of ‘Use primary DB connection for advanced search bulk indexer’
• [18.10] Backport of ‘Fix epic boards flaky specs’
• Backport ‘Remove Helm based release environment QA’ to 18-10-stable-ee
• Backport of ‘Gate trial CTA’s using redirect based on FF’ into 18.10
• Backport of ‘Resolve: NoMethodError: undefined method `base_score’ for an instance of CvssSuite::Cvss40 (NoMethodError)’
• Backport ‘Bump nginx to version 1.30.1’ to 18-10
• [18.10] Mattermost Security Updates May 13, 2026
• Downgrade python (18.10)

Important notes on upgrading

These versions do not include any new migrations, and for multi-node deployments, should not require any downtime.

Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure file, which is only used for updates.

Updating

To update GitLab, see the Update page. To update GitLab Runner, see the Updating the Runner page.

Receive Patch Notifications

To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.