GitLab Patch Release: 19.0.2, 18.11.5, 18.10.8

On June 10, 2026, we released versions 19.0.2, 18.11.5, 18.10.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.

GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.

For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.

We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.

Recommended action

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.

Security fixes

Table of security fixes

CVE-2026-6552 - Improper Access Control issue in Group SAML Identity API impacts GitLab EE

GitLab has remediated an issue that under certain conditions could have allowed an authenticated user with group Owner role to take over another group member’s GitLab account due to improper authorization in the Group SAML identity management functionality.

Impacted Versions: GitLab EE: all versions from 15.5 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2
CVSS 8.7 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N)

Thanks cyberjoker for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-10087 - Cross-site Scripting issue in Analytics Dashboard impacts GitLab EE

GitLab has remediated an issue that under certain conditions could have allowed an authenticated user with developer-role permissions to execute arbitrary client-side code on behalf of a targeted user due to improper input sanitization in the Analytics Dashboard.

Impacted Versions: GitLab EE: all versions from 17.1 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2
CVSS 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N)

Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-7250 - Denial of Service issue in Grape API JSON parsing middleware impacts GitLab CE/EE

GitLab has remediated an issue that under certain conditions could have allowed an unauthenticated user to cause denial of service due to improper input validation in the API request parsing middleware.

Impacted Versions: GitLab CE/EE: all versions from 12.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Thanks svalkanov for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-8589 - HTML injection issue in certain group setting fields impacts GitLab EE

GitLab has remediated an issue that under certain conditions could have allowed an authenticated user to add unauthorized email addresses to a targeted user’s account due to improper sanitization of user-supplied input in certain group setting fields.

Impacted Versions: GitLab EE: all versions from 13.1.4 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2
CVSS 7.3 (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N)

Thanks go7f0 for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-1500 - Denial of Service issue in Group Placeholder Reassignments API impacts GitLab CE/EE

GitLab has remediated an issue that under certain conditions could have allowed an authenticated user to cause denial of service due to uncontrolled resource consumption when processing a specially crafted file upload.

Impacted Versions: GitLab CE/EE: all versions from 17.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-6269 - Improper Access Control issue in Merge Requests API impacts GitLab CE/EE

GitLab has remediated an issue that under certain conditions could have allowed an authenticated user with developer-role permissions to modify hidden merge requests due to incorrect authorization enforcements.

Impacted Versions: GitLab CE/EE: all versions from 15.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2
CVSS 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)

Thanks rogerace for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-9204 - Server-Side Request Forgery issue in Gitaly repository import impacts GitLab CE/EE

GitLab has remediated an issue that under certain conditions could have allowed an authenticated user to read arbitrary files from the Gitaly server and access internal network resources during repository import, due to insufficient validation of secondary URLs.

Impacted Versions: GitLab CE/EE: all versions from 18.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2
CVSS 5.3 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)

Thanks AndresAIFR for reporting this vulnerability

CVE-2026-10733 - HTML injection issue in CI/CD Catalog impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an authenticated user to cause denial of service on the CI/CD Catalog page due to improper sanitization.

Impacted Versions: GitLab CE/EE: all versions from 17.0 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

This vulnerability has been discovered internally by GitLab team member Miguel Jimeno

CVE-2026-6277 - Improper Access Control issue in Security Inventory impacts GitLab EE

GitLab has remediated an issue that under certain conditions could have allowed an authenticated user with Security Manager-role permissions to manage project security configuration even when the relevant feature was in a disabled state, due to incorrect authorization enforcement.

Impacted Versions: GitLab EE: all versions from 13.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

Thanks mateuszek for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-6976 - Authorization Bypass issue in Merge Request diff impacts GitLab CE/EE

GitLab has remediated an issue that under certain conditions could have allowed an authenticated user with developer-role permissions to hide changes from merge request diff views due to improper input handling of file names.

Impacted Versions: GitLab CE/EE: all versions from 15.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2
CVSS 3.7 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N)

Thanks xorz for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-3553 - Improper Access Control issue in Todos API impacts GitLab CE/EE

GitLab has remediated an issue that under certain conditions could have allowed an authenticated user to access confidential issue details due to incorrect authorization checks.

Impacted Versions: GitLab CE/EE: all versions from 12.0 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2
CVSS 3.1 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)

Thanks go7f0 for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-9694 - Improper Neutralization issue in Service Desk email template impacts GitLab CE/EE

GitLab has remediated an issue that under certain conditions, could have allowed an unauthenticated user to impersonate the GitLab Support Bot and inject arbitrary content via a specially crafted Service Desk email reply due to improper neutralization in email template processing.

Impacted Versions: GitLab CE/EE: all versions from 15.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2
CVSS 2.6 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N)

Thanks 3nvz for reporting this vulnerability through our HackerOne bug bounty program

Bug fixes

19.0.2

• Update VERSION files
• Backport of ‘Geo: fix container repository sync for OCI image indexes’
• Backport of ‘Fix MCP tools checkbox visibility for Premium groups’
• Backport of “Move SANDBOX_SYSTEM_DIR to /var/tmp for non-root image compatibility”
• Backport of ‘Ensure uploads.id has the correct default’ into 19-0-stable-ee
• Backport of “fix Session cancel - bypass DuoApiAuthenticator checks for browser requests”
• Backport of “Bump ruby-jwt to 2.10.3” to 19.0
• Backport of “Fix JSON::ParserError escaping safe_parse in DiscussionsDiff::HighlightCache”
• Backport of “Return false when change_position is not in correct format”
• Backport of ‘Fix agentic chat model picker showing SaaS models on self-hosted gateway’
• Update Rails Gems: Backport branch ‘update-activestorage2’ into ‘19-0-stable-ee’
• Backport of ‘Show ultimate_only agents when paid license is present’ to 19.0
• Backport: Allow composite identity SAs to bypass SAML membership lock
• Backport of ‘Allow job token basic auth for generic package upload’ to 19.0
• Backport of “Exclude invalid custom instructions from code review context”
• Update dependency oj to v3.17.3
• Backport of “Make CI cache limit per job configurable by admins”
• 19-0 Stable Bump Container Registry to v4.40.1-gitlab
• [19.0 Backport] Fix: don’t set deprecated registry threshold when maxretries is configured
• Backport the Golang upgrade 1.25.9 to 19-0

18.11.5

• [backport] praefect: Add configurable health check ping timeout option
• Enhance DNS rebinding protection in VirtualRegistries RedirectHandler
• Backport of ‘Geo: fix container repository sync for OCI image indexes’
• Backport of ‘Fix MCP tools checkbox visibility for Premium groups’
• Backport of ‘Ensure uploads.id has the correct default’ into 18-11-stable-ee
• Backport of “Fix JSON::ParserError escaping safe_parse in DiscussionsDiff::HighlightCache”
• Backport of “Bump ruby-jwt to 2.10.3” to 18.11
• Backport of “Return false when change_position is not in correct format”
• Backport of ‘Fix agentic chat model picker showing SaaS models on self-hosted gateway’
• Backport of “Check if MR should be created ahead of forking”
• Update Rails Gems: Backport branch ‘update-activestorage2’ into ‘18-11-stable-ee’
• Backport of ‘Show ultimate_only agents when paid license is present’ to 18.11
• Backport of “Make CI cache limit per job configurable by admins”
• Update dependency oj to v3.17.3
• [18.11] Mattermost Security Updates May 27, 2026
• [18.11 Backport] Fix: don’t set deprecated registry threshold when maxretries is configured
• Backport Ubuntu 22.04 FIPS to 18.11

18.10.8

• Filter out non-user-defined rules on approval update
• Backport of ‘Geo: fix container repository sync for OCI image indexes’
• Backport of ‘Fix MCP tools checkbox visibility for Premium groups’
• Backport of “Bump ruby-jwt to 2.10.3” to 18.10
• Backport of “Fix JSON::ParserError escaping safe_parse in DiscussionsDiff::HighlightCache”
• Backport of “Return false when change_position is not in correct format”
• Update Rails Gems: Backport branch ‘update-activestorage2’ into ‘18-10-stable-ee’
• Backport of ‘Allow job token basic auth for generic package upload’ to 18.10
• Update dependency oj to v3.17.3
• Backport of “Make CI cache limit per job configurable by admins”
• Merge branch ‘jk/update-test-certificates’ into ‘master’
• [18.10] Mattermost Security Updates May 21, 2026
• [18.10] Mattermost Security Updates May 27, 2026
• [18.10 Backport] Fix: don’t set deprecated registry threshold when maxretries is configured

Important notes on upgrading

This patch includes database migrations that may impact your upgrade process.

Impact on your installation:

• Single-node instances: This patch will cause downtime during the upgrade as migrations must complete before GitLab can start.
• Multi-node instances: With proper zero-downtime upgrade procedures, this patch can be applied without downtime.

Post-deploy migrations

The following versions include post-deploy migrations that can run after the upgrade:

• 19.0.2
• 18.11.5

To learn more about the impact of upgrades on your installation, see:

• Zero-downtime upgrades for multi-node deployments
• Standard upgrades for single-node installations

Updating

To update GitLab, see the Update page. To update GitLab Runner, see the Updating the Runner page.

Receive patch notifications

To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.