GitLab Patch Release: 19.1.2, 19.0.4, 18.11.7

On July 8, 2026, we released versions 19.1.2, 19.0.4, 18.11.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.

GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.

For security fixes, the issues detailing each vulnerability are made public on our issue tracker 90 days after the release in which they were patched.

We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.

Security fixes

Table of security fixes

CVE-2026-6896 - Cross-site Scripting issue in vulnerability evidence table renderer impacts GitLab EE

GitLab has remediated an issue that under certain conditions could have allowed an authenticated user with developer-role permissions to execute arbitrary scripts in another user’s browser session due to improper sanitization of user-supplied input.

Impacted Versions: GitLab EE: all versions from 13.11 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2
CVSS 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N)

Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-13320 - HTML Injection in wiki markup rendering impacts GitLab CE/EE

GitLab has remediated an issue that under certain conditions could have allowed an authenticated user to execute arbitrary scripts in another user’s browser session due to improper sanitization of user-supplied input.

Impacted Versions: GitLab CE/EE: all versions from 15.7 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2
CVSS 7.3 (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N)

Thanks youzslan and a_m_a_m for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-11827 - Insufficiently Protected Credentials issue in repository mirroring impacts GitLab EE

GitLab has remediated an issue that under certain conditions could have allowed an authenticated user with maintainer-role permissions to obtain another user’s stored credentials due to improper authorization controls.

Impacted Versions: GitLab EE: all versions from 9.5 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2
CVSS 4.9 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

Thanks rogerace for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-8472 - Improper Access Control issue in work items impacts GitLab EE

GitLab has remediated an issue that under certain conditions could have allowed an authenticated user with minimal access permissions to read work item metadata from private projects due to missing authorization checks.

Impacted Versions: GitLab EE: all versions from 18.9 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Thanks go7f0 for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-7492 - Missing Authorization issue in commit discussion display impacts GitLab CE/EE

GitLab has remediated an issue that under certain conditions could have allowed an unauthenticated user to determine the existence of a private project due to improper authorization controls on cross-project reference pages.

Impacted Versions: GitLab CE/EE: all versions from 9.1 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Thanks nathanaelhoun for reporting this vulnerability through our HackerOne bug bounty program

CVE-2025-12506 - Ambiguity Reference issue in a tag or branch impacts GitLab CE/EE

GitLab has remediated an issue that under certain conditions could have allowed an authenticated user to create a repository where the content displayed in the web interface differed from the content available for download, due to improper handling of Git reference name resolution.

Impacted Versions: GitLab CE/EE: all versions from 16.5 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2
CVSS 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N)

Thanks shells3c for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-13151 - Incorrect Authorization issue in group-level settings impacts GitLab EE

GitLab has remediated an issue that under certain conditions could have allowed an authenticated user to modify group-level settings beyond their intended permissions due to improper authorization controls.

Impacted Versions: GitLab EE: all versions from 16.10 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2
CVSS 2.7 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N)

This vulnerability has been discovered internally by GitLab team member zli

CVE-2026-6352 - Incorrect Authorization issue in compliance violation management impacts GitLab EE

GitLab has remediated an issue that under certain conditions could have allowed an authenticated user with auditor-level access to modify compliance violation records due to improper authorization on certain GraphQL operations.

Impacted Versions: GitLab EE: all versions from 18.2 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2
CVSS 2.7 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N)

Thanks amanverasia for reporting this vulnerability through our HackerOne bug bounty program

Bug fixes

19.1.2

19.0.4

18.11.7

Important notes on upgrading

This patch includes database migrations that may impact your upgrade process.

Impact on your installation:

  • Single-node instances: This patch will cause downtime during the upgrade as migrations must complete before GitLab can start.
  • Multi-node instances: With proper zero-downtime upgrade procedures, this patch can be applied without downtime.

Post-deploy migrations

The following versions include post-deploy migrations that can run after the upgrade:

  • 19.1.2
  • 19.0.4

To learn more about the impact of upgrades on your installation, see:

Updating

To update GitLab, see the Update page. To update GitLab Runner, see the Updating the Runner page.

Receive Patch Notifications

To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.