GitLab Patch Release: 19.1.2, 19.0.4, 18.11.7
On July 8, 2026, we released versions 19.1.2, 19.0.4, 18.11.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 90 days after the release in which they were patched.
We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
Recommended Action
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.
Security fixes
Table of security fixes
CVE-2026-6896 - Cross-site Scripting issue in vulnerability evidence table renderer impacts GitLab EE
GitLab has remediated an issue that under certain conditions could have allowed an authenticated user with developer-role permissions to execute arbitrary scripts in another user’s browser session due to improper sanitization of user-supplied input.
Impacted Versions: GitLab EE: all versions from 13.11 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2
CVSS 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N)
Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program
CVE-2026-13320 - HTML Injection in wiki markup rendering impacts GitLab CE/EE
GitLab has remediated an issue that under certain conditions could have allowed an authenticated user to execute arbitrary scripts in another user’s browser session due to improper sanitization of user-supplied input.
Impacted Versions: GitLab CE/EE: all versions from 15.7 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2
CVSS 7.3 (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N)
Thanks youzslan and a_m_a_m for reporting this vulnerability through our HackerOne bug bounty program
CVE-2026-11827 - Insufficiently Protected Credentials issue in repository mirroring impacts GitLab EE
GitLab has remediated an issue that under certain conditions could have allowed an authenticated user with maintainer-role permissions to obtain another user’s stored credentials due to improper authorization controls.
Impacted Versions: GitLab EE: all versions from 9.5 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2
CVSS 4.9 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)
Thanks rogerace for reporting this vulnerability through our HackerOne bug bounty program
CVE-2026-8472 - Improper Access Control issue in work items impacts GitLab EE
GitLab has remediated an issue that under certain conditions could have allowed an authenticated user with minimal access permissions to read work item metadata from private projects due to missing authorization checks.
Impacted Versions: GitLab EE: all versions from 18.9 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Thanks go7f0 for reporting this vulnerability through our HackerOne bug bounty program
CVE-2026-7492 - Missing Authorization issue in commit discussion display impacts GitLab CE/EE
GitLab has remediated an issue that under certain conditions could have allowed an unauthenticated user to determine the existence of a private project due to improper authorization controls on cross-project reference pages.
Impacted Versions: GitLab CE/EE: all versions from 9.1 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Thanks nathanaelhoun for reporting this vulnerability through our HackerOne bug bounty program
CVE-2025-12506 - Ambiguity Reference issue in a tag or branch impacts GitLab CE/EE
GitLab has remediated an issue that under certain conditions could have allowed an authenticated user to create a repository where the content displayed in the web interface differed from the content available for download, due to improper handling of Git reference name resolution.
Impacted Versions: GitLab CE/EE: all versions from 16.5 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2
CVSS 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N)
Thanks shells3c for reporting this vulnerability through our HackerOne bug bounty program
CVE-2026-13151 - Incorrect Authorization issue in group-level settings impacts GitLab EE
GitLab has remediated an issue that under certain conditions could have allowed an authenticated user to modify group-level settings beyond their intended permissions due to improper authorization controls.
Impacted Versions: GitLab EE: all versions from 16.10 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2
CVSS 2.7 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N)
This vulnerability has been discovered internally by GitLab team member zli
CVE-2026-6352 - Incorrect Authorization issue in compliance violation management impacts GitLab EE
GitLab has remediated an issue that under certain conditions could have allowed an authenticated user with auditor-level access to modify compliance violation records due to improper authorization on certain GraphQL operations.
Impacted Versions: GitLab EE: all versions from 18.2 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2
CVSS 2.7 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N)
Thanks amanverasia for reporting this vulnerability through our HackerOne bug bounty program
Bug fixes
19.1.2
- Set organization_id when registering OAuth applications (19.1 backport)
- Bump Go to 1.25.11
- Backport of ‘Fix 500 on multi-arch tags on the legacy registry path’ into 19.1
- Backport of “Use commit author and committer identity for external agent flows”
- Backport of ‘Make ci_finished_builds engine swap work on ClickHouse 23.x’ into 19.1
- Backport of ‘Limit getDuoWorkflowEvents to latest checkpoint with cursor pagination’ into 19.1
- Backport of ‘Backfill NULL organization_id on oauth_applications before constraint validation’ to 19.1
- Backport: Revert the MR 238702
- Backport of “Remove ActiveUserCountThresholdWorker cron schedule” into 19.1
- Backport of ‘Fix approval rule override regression for Developer MR authors’
- Backport of Fix commits page memory leak from eager description fetch
- Pass organization_id when creating OAuth Applications
- Add BUILDER_IMAGE_REVISION to 5.60.1
19.0.4
- Set organization_id when registering OAuth applications (19.0 backport)
- Backport: Skopeo auth to registry, via CI_JOB_TOKEN (19-0-stable)
- Bump Go to 1.25.11
- Backport of “Add composite identity checks for commit”
- Backport of “Use commit author and committer identity for external agent flows”
- Backport of ‘Fix ci_finished_builds engine swap on deferred post-deploy’ into 19.0
- Backport of ‘Limit getDuoWorkflowEvents to latest checkpoint with cursor pagination’ into 19.0
- Backport of ‘Backfill NULL organization_id on oauth_applications before constraint validation’ to 19.0
- Quarantine flaky user_suggests_changes_on_diff_spec examples
- Backport shared example fix in 19-0-stable-ee
- Deflake granular token permissions spec for group MRs
- Pass organization_id when creating OAuth Applications
- Add BUILDER_IMAGE_REVISION to 5.57.1
18.11.7
- Fix fetch_assets to authenticate skopeo inspect for private registries
- Bump Go to 1.25.11
- Backport of ‘Fix ci_finished_builds engine swap on deferred post-deploy’ into 18.11
- Backport of ‘Limit getDuoWorkflowEvents to latest checkpoint with cursor pagination’ into 18.11
- Quarantine flaky user_suggests_changes_on_diff_spec examples
- [18.11] Mattermost Security Updates June 12, 2026
- backport: add mattermost and spamcheck deprecation entries to 18.11
- Add BUILDER_IMAGE_REVISION to 5.52.1
Important notes on upgrading
This patch includes database migrations that may impact your upgrade process.
Impact on your installation:
- Single-node instances: This patch will cause downtime during the upgrade as migrations must complete before GitLab can start.
- Multi-node instances: With proper zero-downtime upgrade procedures, this patch can be applied without downtime.
Post-deploy migrations
The following versions include post-deploy migrations that can run after the upgrade:
- 19.1.2
- 19.0.4
To learn more about the impact of upgrades on your installation, see:
- Zero-downtime upgrades for multi-node deployments
- Standard upgrades for single-node installations
Updating
To update GitLab, see the Update page. To update GitLab Runner, see the Updating the Runner page.
Receive Patch Notifications
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.