{"total":99,"page":1,"count":50,"advisories":[{"id":"cfb2bb1b-316a-43db-b2a8-5013246b11ab","num":165564,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-1-2-released/","title":"GitLab Patch Release: 19.1.2, 19.0.4, 18.11.7","summary":"On July 8, 2026, we released versions 19.1.2, 19.0.4, 18.11.7 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action. GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ . You can see all of GitLab release blog posts here . For security fixes, the issues detailing each vulnerability are made public on our issue tracker 90 days after the release in which they were patched. We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible . When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected. Security fixes Table of security fixes Title Severity Cross-site Scripting issue in vulnerability evidence table renderer impacts GitLab EE High HTML Injection in wiki markup rendering impacts GitLab CE/EE High Insufficiently Protected Credentials issue in repository mirroring impacts GitLab EE Medium Improper Access Control issue in work items impac","link":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-1-2-released/","severity":"critical","cvss":null,"cves":["CVE-2026-6896","CVE-2026-13320","CVE-2026-11827","CVE-2026-8472","CVE-2026-7492","CVE-2025-12506","CVE-2026-13151","CVE-2026-6352"],"exploited":false,"has_exploit":false,"published_at":"2026-07-08T00:00:00+00:00"},{"id":"70528b71-9123-47bb-9fed-14aaa8fe5ca4","num":86924,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-8-11-released/","title":"GitLab Patch Release: 18.8.11","summary":"On July 1, 2026, we released version 18.8.11 for GitLab Community Edition and Enterprise Edition. These versions resolve regressions and bugs. This patch release does not include any security fixes. When database load balancing is in use, database connections may not be returned to the pool as a result of a regression caused by the upgrade to Rails 7.2. We are making an out-of-band patch release to ensure stability for customers upgrading to the required stop of GitLab 18.8. GitLab Community Edition and Enterprise Edition 18.8.11 Fix database connection leaks when database load balancer in use Important notes on upgrading This version does not include any new migrations, and for multi-node deployments, should not require any downtime . Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure file, which is only used for upgrades . Updating To update, check out our update page . GitLab subscriptions Access to GitLab Premium and Ultimate features is granted by a paid subscription . Alternatively, sign up for GitLab.com to use the GitLab infrastructure.","link":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-8-11-released/","severity":"unknown","cvss":null,"cves":[],"exploited":false,"has_exploit":false,"published_at":"2026-07-01T00:00:00+00:00"},{"id":"e999956d-e737-4ad1-b531-5226b32555c6","num":86923,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/","title":"GitLab patch release notes","summary":null,"link":"https://docs.gitlab.com/releases/patches/","severity":"unknown","cvss":null,"cves":[],"exploited":false,"has_exploit":false,"published_at":"2026-07-01T00:00:00+00:00"},{"id":"d792197d-fd08-422e-b79a-6634a4bacd54","num":86925,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-1-1-released/","title":"GitLab Patch Release: 19.1.1, 19.0.3, 18.11.6","summary":"On June 24, 2026, we released versions 19.1.1, 19.0.3, 18.11.6 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action. GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ . You can see all of GitLab release blog posts here . For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible . When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected. Security fixes Table of security fixes Title Severity Cross-site Scripting issue in Analytics Dashboard impacts GitLab EE High Cross-site Scripting issue in Web IDE workbench asset handler impacts GitLab CE/EE High Information Disclosure issue in Duo Workflows impacts GitLab EE High Authorization Bypass issue in Virtual Registry Cleanup Policy API i","link":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-1-1-released/","severity":"critical","cvss":null,"cves":["CVE-2026-10086","CVE-2026-10712","CVE-2026-12053","CVE-2026-5309","CVE-2026-2238","CVE-2026-11379","CVE-2026-8330","CVE-2026-1606","CVE-2026-5952","CVE-2026-5796","CVE-2026-0934","CVE-2026-3176","CVE-2026-12635"],"exploited":false,"has_exploit":false,"published_at":"2026-06-24T00:00:00+00:00"},{"id":"8613efd6-19cb-4544-984e-03976661d1e2","num":86926,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-0-2-released/","title":"GitLab Patch Release: 19.0.2, 18.11.5, 18.10.8","summary":"On June 10, 2026, we released versions 19.0.2, 18.11.5, 18.10.8 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action. GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ . You can see all of GitLab release blog posts here . For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible . When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected. Security fixes Table of security fixes Title Severity Improper Access Control issue in Group SAML Identity API impacts GitLab EE High Cross-site Scripting issue in Analytics Dashboard impacts GitLab EE High Denial of Service issue in Grape API JSON parsing middleware impacts GitLab CE/EE High HTML injection issue in certain group setting fields imp","link":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-0-2-released/","severity":"critical","cvss":null,"cves":["CVE-2026-6552","CVE-2026-10087","CVE-2026-7250","CVE-2026-8589","CVE-2026-1500","CVE-2026-6269","CVE-2026-9204","CVE-2026-10733","CVE-2026-6277","CVE-2026-6976","CVE-2026-3553","CVE-2026-9694"],"exploited":false,"has_exploit":false,"published_at":"2026-06-10T00:00:00+00:00"},{"id":"1a2f9431-a061-4404-a700-19e215744954","num":86927,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-9-8-released/","title":"GitLab Patch Release: 18.9.8, 18.8.10, 18.7.7, 18.6.8, 18.5.7","summary":"Today, we are releasing versions 18.9.8, 18.8.10, 18.7.7, 18.6.8, and 18.5.7 for GitLab Community Edition and Enterprise Edition. These versions resolve a number of regressions and bugs. This patch release does not include any security fixes. This patch release addresses a regression introduced in GitLab 18.4 where issues appeared duplicated in Epic swimlane board views — showing under both their direct parent epic and the grandparent epic — even when no filter was applied. This caused boards to become cluttered and made iteration planning unreliable for teams using nested epic hierarchies. The fix restores the intended behavior: issues appear only under their direct parent epic in unfiltered swimlane views, while the full hierarchy is still shown when a user explicitly filters by a specific parent epic. Customers affected by this issue are encouraged to upgrade to the patched version. GitLab Community Edition and Enterprise Edition 18.9.8 Backport of Fix swimlane problem Backport of Fix flaky new_project_spec CI/CD from repo URL test to 18-9 Backport ‘Pass down DOCKER_VERSION to release env pipeline’ and ‘Remove Helm based release environment QA’ to 18-9-stable-ee Backport ‘Bump nginx to version 1.30.1’ to 18-9 [18.9] Mattermost Security Updates May 13, 2026 18.8.10 [18.8] Scope start-rails-specs changes rule to MR pipelines 18.8 Backport of ‘update zlib to 3.2.3’ [Backport 18.8]Fix PG::UniqueViolation in project_daily_statistics sync trigger Docs backport: Add note about Agent Platform flow configurations not available until 18.11 Backport of Fix swimlane problem Backport ‘Pass GIT_VERSION/DOCKER_VERSION to release env pipeline’ and ‘Remove Helm based release environment QA’ to 18-8-stable-ee 18.8 backport of ‘Update rack to 2.2.23’ Backport: fix: Set sv timeout when restarting Gitaly to 18.8 [18.8] Remove Mattermost for SLES-12.5 18.7.7 [18.7] Update dependency oj to v3.16.15 [18.7] GLQL advanced finder, remove project_ids Backport oj and oj-introspect gem update","link":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-9-8-released/","severity":"unknown","cvss":null,"cves":[],"exploited":false,"has_exploit":false,"published_at":"2026-05-27T00:00:00+00:00"},{"id":"835bee67-74e7-4719-bfa7-df8cdba1066d","num":86928,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-0-1-released/","title":"GitLab Patch Release: 19.0.1, 18.11.4, 18.10.7","summary":"On May 27, 2026, we released versions 19.0.1, 18.11.4, 18.10.7 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action. GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ . You can see all of GitLab release blog posts here . For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible . When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected. Security fixes Table of security fixes Title Severity Improper Access Control issue in Duo AI workflow runners impacts GitLab EE High Denial of Service issue in Wiki impacts GitLab CE/EE Medium Incorrect Authorization issue in GraphQL WorkItem API impacts GitLab CE/EE Medium Improper Authorization issue in Duo Workflows API impacts GitLab EE Medium","link":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-0-1-released/","severity":"critical","cvss":null,"cves":["CVE-2026-4868","CVE-2026-1402","CVE-2026-6713","CVE-2026-5296","CVE-2026-2601","CVE-2026-8716","CVE-2026-2710"],"exploited":false,"has_exploit":false,"published_at":"2026-05-27T00:00:00+00:00"},{"id":"24ac75b8-25a9-457b-aea4-4dc04f4d7c27","num":86929,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-11-3-released/","title":"GitLab Patch Release: 18.11.3, 18.10.6, 18.9.7","summary":"On May 13, 2026, we released versions 18.11.3, 18.10.6, 18.9.7 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action. GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ . You can see all of GitLab release blog posts here . For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible . When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected. Security fixes Table of security fixes Title Severity Cross-site Scripting issue in Analytics dashboard chart rendering impacts GitLab EE High Cross-site Scripting issue in global search impacts GitLab CE/EE High Cross-site Scripting issue in Duo Agent output rendering impacts GitLab EE High Cross-site Scripting issue in Analytics Dashboard impacts","link":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-11-3-released/","severity":"critical","cvss":null,"cves":["CVE-2026-7481","CVE-2026-5297","CVE-2026-6073","CVE-2026-7377","CVE-2026-1659","CVE-2025-14870","CVE-2025-14869","CVE-2026-1322","CVE-2026-1184","CVE-2026-4524","CVE-2026-8280","CVE-2026-4527","CVE-2026-3160","CVE-2026-6335","CVE-2025-12669","CVE-2026-3607","CVE-2026-3074","CVE-2026-1338","CVE-2026-8144","CVE-2026-6063","CVE-2026-3073","CVE-2025-13874","CVE-2026-7471","CVE-2026-2900","CVE-2026-6883"],"exploited":false,"has_exploit":false,"published_at":"2026-05-13T00:00:00+00:00"},{"id":"f9fc9273-8a27-4e8c-8e79-74ad2277db78","num":86930,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-11-2-released/","title":"GitLab Patch Release: 18.11.2, 18.10.5","summary":"On April 29, 2026, we released versions 18.11.2 and 18.10.5 for GitLab Community Edition and Enterprise Edition. These out-of-band patch releases fix an observability gap to ensure we continue to meet our disaster recovery RTO/RPO commitments for our GitLab Dedicated customers. These versions also resolve a number of regressions and bugs. This patch release does not include any security fixes. GitLab Community Edition and Enterprise Edition 18.11.2 Revert “Merge branch ‘ia-refactor-role-permission-enablement’ into ‘master’” ‘Add Code Suggestion to the DAP supported features for self-hosted models’ ‘Clear persisted filters when loading /work_items page’ ‘Allow Duo Core user to still use DAP code review’ ‘GraphQL mutation to retry failed reassigments’ into 18.11 “Resolve sidekiq spikes when a User is banned” Fix MCP OAuth discovery failing on relative URL installs ’*_oldest_unsynced_time’ metric addition 18.10.5 ‘Add Code Suggestion to the DAP supported features for self-hosted models’ “Update Duo CLI version for remote flows” “BBM - Skip 3 migrations referencing dropped tables” ‘Allow Duo Core user to still use DAP code review’ “Resolve sidekiq spikes when a User is banned” ‘Fix: self-hosted feature setting missing model_definitions’ “fix: Skip CreateOrUpdateDefaultTrackedContextWorker on Geo secondaries” ’*_oldest_unsynced_time’ metric addition Important notes on upgrading This patch includes database migrations that may impact your upgrade process. Impact on your installation: Single-node instances : This patch will cause downtime during the upgrade as migrations must complete before GitLab can start. Multi-node instances : With proper zero-downtime upgrade procedures , this patch can be applied without downtime. Regular migrations The following version includes regular migrations that run during the upgrade process: 18.10.5 Post-deploy migrations The following version includes post-deploy migrations that can run after the upgrade: 18.11.2 18.10.5 To learn more abo","link":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-11-2-released/","severity":"unknown","cvss":null,"cves":[],"exploited":false,"has_exploit":false,"published_at":"2026-04-29T00:00:00+00:00"},{"id":"e716b702-0629-4ab8-a9aa-db9805a18285","num":86931,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-11-1-released/","title":"GitLab Patch Release: 18.11.1, 18.10.4, 18.9.6","summary":"On April 22, 2026, we released versions 18.11.1, 18.10.4, 18.9.6 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action. GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ . You can see all of GitLab release blog posts here . For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible . When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected. Security fixes Table of security fixes Title Severity Cross-Site Request Forgery issue in GraphQL API impacts GitLab CE/EE High Improper Resolution of Path Equivalence issue in Web IDE asset impacts GitLab CE/EE High Cross-site Scripting issue in Storybook impacts GitLab CE/EE High Denial of Service issue in discussions endpoint impacts GitLab CE/","link":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-11-1-released/","severity":"critical","cvss":null,"cves":["CVE-2026-4922","CVE-2026-5816","CVE-2026-5262","CVE-2025-0186","CVE-2026-1660","CVE-2025-6016","CVE-2025-3922","CVE-2026-6515","CVE-2026-5377","CVE-2026-3254","CVE-2025-9957"],"exploited":false,"has_exploit":false,"published_at":"2026-04-22T00:00:00+00:00"},{"id":"aa5666d8-e9df-4bc0-ba68-c8bbf55481a2","num":86932,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-10-3-released/","title":"GitLab Patch Release: 18.10.3, 18.9.5, 18.8.9","summary":"On April 8, 2026, we released versions 18.10.3, 18.9.5, 18.8.9 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action. GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ . You can see all of GitLab release blog posts here . For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible . When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected. Security fixes Table of security fixes Title Severity Exposed Method issue in websocket connections impacts GitLab CE/EE High Denial of Service issue in Terraform state lock API impacts GitLab CE/EE High Denial of Service issue in GraphQL API impacts GitLab CE/EE High Denial of Service issue in CSV import impacts GitLab CE/EE Medium Denial of Servic","link":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-10-3-released/","severity":"critical","cvss":null,"cves":["CVE-2026-5173","CVE-2026-1092","CVE-2025-12664","CVE-2026-1403","CVE-2026-1101","CVE-2026-1516","CVE-2026-4332","CVE-2026-2619","CVE-2025-9484","CVE-2026-1752","CVE-2026-2104","CVE-2026-4916"],"exploited":false,"has_exploit":false,"published_at":"2026-04-08T00:00:00+00:00"},{"id":"9b5d4ec7-692c-4b1f-811b-ab028808ccfc","num":86933,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-10-1-released/","title":"GitLab Patch Release: 18.10.1, 18.9.3, 18.8.7","summary":"On March 25, 2026, we released versions 18.10.1, 18.9.3, 18.8.7 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action. GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ . You can see all of GitLab release blog posts here . For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible . When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected. Security fixes Table of security fixes Title Severity Improper Handling of Parameters issue in Jira Connect installations impacts GitLab CE/EE High Cross-Site Request Forgery issue in GLQL API impacts GitLab CE/EE High HTML Injection in vulnerability report impacts GitLab EE High Denial of Service issue in GraphQL API impacts GitLab CE/EE High Impr","link":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-10-1-released/","severity":"critical","cvss":null,"cves":["CVE-2026-2370","CVE-2026-3857","CVE-2026-2995","CVE-2026-3988","CVE-2026-2745","CVE-2026-1724","CVE-2025-13436","CVE-2025-13078","CVE-2026-2973","CVE-2026-2726","CVE-2025-14595","CVE-2026-4363"],"exploited":false,"has_exploit":false,"published_at":"2026-03-25T00:00:00+00:00"},{"id":"706a05dc-b735-4697-bfec-46143b796274","num":86934,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-9-2-released/","title":"GitLab Patch Release: 18.9.2, 18.8.6, 18.7.6","summary":"On March 11, 2026, we released versions 18.9.2, 18.8.6, 18.7.6 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action. GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ . You can see all of GitLab release blog posts here . For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible . When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected. Security fixes Table of security fixes Title Severity Cross-site Scripting issue in Markdown placeholder processing impacts GitLab CE/EE High Denial of Service issue in GraphQL API impacts GitLab CE/EE High Denial of Service issue in repository archive endpoint impacts GitLab CE/EE High Denial of Service issue in protected branches API impacts GitLa","link":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-9-2-released/","severity":"critical","cvss":null,"cves":["CVE-2026-1090","CVE-2026-1069","CVE-2025-13929","CVE-2025-14513","CVE-2025-13690","CVE-2025-12576","CVE-2026-3848","CVE-2025-12555","CVE-2026-0602","CVE-2026-1732","CVE-2026-1663","CVE-2026-1230","CVE-2026-1182","CVE-2025-12704","CVE-2025-12697"],"exploited":false,"has_exploit":false,"published_at":"2026-03-11T00:00:00+00:00"},{"id":"0e331416-6269-4a65-b334-6e513e215d2b","num":86935,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-9-1-released/","title":"GitLab Patch Release: 18.9.1, 18.8.5, 18.7.5","summary":"On February 25, 2026, we released versions 18.9.1, 18.8.5, 18.7.5 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action. GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ . You can see all of GitLab release blog posts here . For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible . When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected. Security fixes Table of security fixes Title Severity Cross-site Scripting issue in Mermaid sandbox impacts GitLab CE/EE High Denial of Service issue in container registry impacts GitLab CE/EE High Denial of Service issue in Jira events endpoint impacts GitLab CE/EE High Regular Expression Denial of Service issue in GitLab merge requests impacts","link":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-9-1-released/","severity":"critical","cvss":null,"cves":["CVE-2026-0752","CVE-2025-14511","CVE-2026-1662","CVE-2026-1388","CVE-2026-2845","CVE-2025-3525","CVE-2026-1725","CVE-2026-1747","CVE-2025-14103"],"exploited":false,"has_exploit":false,"published_at":"2026-02-25T00:00:00+00:00"},{"id":"504b25ab-b25d-418d-bbdc-11ed883f0114","num":86936,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-8-4-released/","title":"GitLab Patch Release: 18.8.4, 18.7.4, 18.6.6","summary":"On February 10, 2026, we released versions 18.8.4, 18.7.4, 18.6.6 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action. GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ . You can see all of GitLab release blog posts here . For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible . When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected. Security fixes Table of security fixes Title Severity Incomplete Validation issue in Web IDE impacts GitLab CE/EE High Denial of Service issue in GraphQL introspection impacts GitLab CE/EE High Denial of Service issue in JSON validation middleware impacts GitLab CE/EE High Cross-site Scripting issue in Code Flow impacts GitLab CE/EE High HTML Inj","link":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-8-4-released/","severity":"critical","cvss":null,"cves":["CVE-2025-7659","CVE-2025-8099","CVE-2026-0958","CVE-2025-14560","CVE-2026-0595","CVE-2026-1458","CVE-2026-1456","CVE-2026-1387","CVE-2025-12575","CVE-2026-1094","CVE-2025-12073","CVE-2026-1080","CVE-2025-14592","CVE-2026-1282","CVE-2025-14594"],"exploited":false,"has_exploit":false,"published_at":"2026-02-10T00:00:00+00:00"},{"id":"47acf533-9847-4f23-9b70-dd78c5184eac","num":86937,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/other-patches/patch-release-gitlab-ai-gateway-18-8-1-released/","title":"GitLab AI Gateway Critical Patch Release: 18.6.2, 18.7.1, and 18.8.1","summary":"On February 6, 2026, we released versions 18.6.2, 18.7.1, and 18.8.1 of the GitLab AI Gateway. These versions contain a critical security fix for GitLab Duo Self-Hosted AI Gateway, and we strongly recommend that all Self Managed customers with GitLab Duo Self-Hosted installations update to one of these versions immediately. A fix has already been deployed for the GitLab-hosted AI Gateway. Customers using GitLab.com, GitLab Dedicated, and GitLab Self Managed instances with GitLab-hosted AI Gateway are protected and do not need to take action. Recommended Action We strongly recommend that all GitLab Duo Self-Hosted installations running a version of self-hosted AI Gateway affected by the issue described below are upgraded to the latest version as soon as possible. Security fixes Table of security fixes Title Severity Insecure Template expansion issue impacts GitLab AI Gateway Critical CVE-2026-1868 - Insecure Template expansion issue impacts GitLab AI Gateway The Duo Workflow Service component of GitLab AI Gateway before versions 18.6.2, 18.7.1, and 18.8.1 is vulnerable to insecure template expansion of user supplied data via crafted Duo Agent Platform Flow definitions. Authenticated access to the GitLab instance is required. This vulnerability could be used to cause Denial of Service or gain code execution on the Gateway. Impacted Versions: GitLab AI Gateway: all versions from 18.1.6, 18.2.6, and 18.3.1 before 18.6.2, 18.7.1, and 18.8.1 CVSS 9.9 ( CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H ) This vulnerability was discovered internally by GitLab team member Joern Schneeweisz . Updating To update GitLab Duo Self-Hosted, see the GitLab Duo Self-Hosted install documentation . Receive Patch Notifications To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases .","link":"https://docs.gitlab.com/releases/other-patches/patch-release-gitlab-ai-gateway-18-8-1-released/","severity":"critical","cvss":null,"cves":["CVE-2026-1868"],"exploited":false,"has_exploit":false,"published_at":"2026-02-06T00:00:00+00:00"},{"id":"bdd64f9c-5772-436a-9ac4-1578731d7d54","num":86938,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-8-3-released/","title":"GitLab Patch Release: 18.8.3, 18.7.3, 18.6.5","summary":"On February 4, 2026, we released versions 18.8.3, 18.7.3, and 18.6.5 for GitLab Community Edition and Enterprise Edition. This patch release delivers a set of targeted fixes focused on reliability, entitlement handling, and feature-flag consistency across GitLab Duo Agent Platform deployments. The updates reflect real-world usage across diverse environments and usage models, and are part of the normal hardening cycle for a platform that integrates deeply with GitLab workflows, identity, and usage controls. Core agent capabilities and behaviors are unchanged. This patch release does not include any security fixes. GitLab Community Edition and Enterprise Edition 18.8.3 Backport of ‘Pass user id to workflow service’ Backport of ‘Unlock Duo Workflow foundational flows from experimental features’ Backport of ‘Unlock Duo Workflow foundational flows from experimental features’ Backport of ‘Fix enforced_scans sync with inject_policy’ Backport of “Open service desk issues and tickets on boards in legacy view instead of drawer” Backport of “Add info on UI for new Ticket work item type” [Backport]Fix missing Open the file to view all results’ link in Zoekt Refactor Redis TLS options parsing to fix ActionCable configuration Backport of ‘Fix route constraint for Credits dashboards’ Backport of ‘Fix Zoekt filter order to avoid performance regression’ to 18.8 Backport: Allow to better debug initialize connection Backport of ‘Integrate work items into chat notifications as issue events’ Backport of “Fixes preserving external author on work item move and clone” [Backport] Remove search api preload for commits scope Backport of “Regenerate openapi docs” 18.7.3 Backport of ‘Add FF to toggle namespace filtering for Duo Chat data’ Backport of ‘Remove duo_workflow_in_ci Feature Flag’ Backport of ‘Remove duo_workflow Feature Flag’ Backport of ‘Pass user id to workflow service’ Backport of ‘Fix enforced_scans sync with inject_policy’ Backport of ‘Fix Zoekt filter order to avoid performance","link":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-8-3-released/","severity":"unknown","cvss":null,"cves":[],"exploited":false,"has_exploit":false,"published_at":"2026-02-04T00:00:00+00:00"},{"id":"3eccbaea-9d20-4576-8a7d-9f092ff75fbd","num":86939,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-8-2-released/","title":"GitLab Patch Release: 18.8.2, 18.7.2, 18.6.4","summary":"On January 21, 2026, we released versions 18.8.2, 18.7.2, 18.6.4 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action. GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ . You can see all of GitLab release blog posts here . For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible . When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected. Security fixes Table of security fixes Title Severity Denial of Service issue in in Jira Connect integration impacts GitLab CE/EE High Incorrect Authorization issue in Releases API impacts GitLab CE/EE High Unchecked Return Value issue in authentication services impacts GitLab CE/EE High Infinite Loop issue in Wiki redirects impacts GitLab CE/EE M","link":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-8-2-released/","severity":"critical","cvss":null,"cves":["CVE-2025-13927","CVE-2025-13928","CVE-2026-0723","CVE-2025-13335","CVE-2026-1102"],"exploited":false,"has_exploit":false,"published_at":"2026-01-21T00:00:00+00:00"},{"id":"5585bf23-a886-4d27-8146-e5e64fe74983","num":86940,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-8-1-released/","title":"GitLab Patch Release: 18.8.1","summary":"On January 19, 2026, we released versions 18.8.1 for GitLab Community Edition and Enterprise Edition. These versions resolve a number of regressions and bugs. This patch release does not include any security fixes. GitLab Community Edition and Enterprise Edition 18.8.1 Backport: Release AI Catalog External Agents Backport of ‘Fix summarize review prompt version for DAP Duo Code Review’ Backport of Disallow creation of new external agents Backport of Correct Code Review Flow history for beta Backport of ‘Fix incorrectly shown limited experience alert on pipeline security tab’ Backport of ‘Fix Duo Chat button visibility for Amazon Q’ Important notes on upgrading This version does not include any new migrations, and for multi-node deployments, should not require any downtime . Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure file, which is only used for updates . Updating To update, check out our update page . GitLab subscriptions Access to GitLab Premium and Ultimate features is granted by a paid subscription . Alternatively, sign up for GitLab.com to use GitLab’s own infrastructure.","link":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-8-1-released/","severity":"unknown","cvss":null,"cves":[],"exploited":false,"has_exploit":false,"published_at":"2026-01-19T00:00:00+00:00"},{"id":"fc1194e7-f092-4be1-b05c-b74fab751ade","num":86941,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-7-1-released/","title":"GitLab Patch Release: 18.7.1, 18.6.3, 18.5.5","summary":"On January 7, 2026, we released versions 18.7.1, 18.6.3, 18.5.5 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action. GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ . You can see all of GitLab release blog posts here . For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible . When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected. Security fixes Table of security fixes Title Severity Stored Cross-site Scripting issue in GitLab Flavored Markdown placeholders impacts GitLab CE/EE High Cross-site scripting issue in Web IDE impacts GitLab CE/EE High Missing Authorization issue in Duo Workflows API impacts GitLab EE High Denial of Service issue in import functionality impacts Git","link":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-7-1-released/","severity":"critical","cvss":null,"cves":["CVE-2025-9222","CVE-2025-13761","CVE-2025-13772","CVE-2025-10569","CVE-2025-13781","CVE-2025-11246","CVE-2025-3950","CVE-2025-65018","CVE-2025-64720"],"exploited":false,"has_exploit":false,"published_at":"2026-01-07T00:00:00+00:00"},{"id":"45cbcc26-3961-41bf-bddb-81b1a37c4335","num":86942,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-6-2-released/","title":"GitLab Patch Release: 18.6.2, 18.5.4, 18.4.6","summary":"On December 10, 2025, we released versions 18.6.2, 18.5.4, 18.4.6 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action. GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ . You can see all of GitLab release blog posts here . For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible . When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected. Security fixes Table of security fixes Title Severity Cross-site scripting issue in Wiki impacts GitLab CE/EE High Improper encoding in vulnerability reports impacts GitLab CE/EE High Cross-site scripting issue in Swagger UI impacts GitLab CE/EE High Denial of service issue in GraphQL endpoints impacts GitLab CE/EE High Authentication bypass issu","link":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-6-2-released/","severity":"critical","cvss":null,"cves":["CVE-2025-12716","CVE-2025-8405","CVE-2025-12029","CVE-2025-12562","CVE-2025-11984","CVE-2025-4097","CVE-2025-14157","CVE-2025-11247","CVE-2025-13978","CVE-2025-12734"],"exploited":false,"has_exploit":false,"published_at":"2025-12-10T00:00:00+00:00"},{"id":"71f897e3-ce86-4fc9-85fb-ea85c615231a","num":86943,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-6-1-released/","title":"GitLab Patch Release: 18.6.1, 18.5.3, 18.4.5","summary":"On November 26, 2025, we released versions 18.6.1, 18.5.3, 18.4.5 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action. GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ . You can see all of GitLab release blog posts here . For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible . When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected. Security fixes Table of security fixes Title Severity Race condition issue in CI/CD cache impacts GitLab CE/EE High Denial of Service issue in JSON input validation middleware impacts GitLab CE/EE High Authentication bypass issue in account registration impacts GitLab CE/EE Medium Denial of Service issue in HTTP response processing impacts GitLab","link":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-6-1-released/","severity":"critical","cvss":null,"cves":["CVE-2024-9183","CVE-2025-12571","CVE-2025-12653","CVE-2025-7449","CVE-2025-6195","CVE-2025-13611"],"exploited":false,"has_exploit":false,"published_at":"2025-11-26T00:00:00+00:00"},{"id":"0b8543b6-7049-4aea-aece-76e15f16ff70","num":86944,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-5-2-released/","title":"GitLab Patch Release: 18.5.2, 18.4.4, 18.3.6","summary":"On November 12, 2025, we released versions 18.5.2, 18.4.4, 18.3.6 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action. GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ . You can see all of GitLab release blog posts here . For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible . When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected. Security fixes Table of security fixes Title Severity Cross-site scripting issue in k8s proxy impacts GitLab CE/EE High Incorrect Authorization issue in workflows impacts GitLab EE Medium Information Disclosure issue in GraphQL subscriptions impacts GitLab CE/EE Medium Information Disclosure issue in access control impacts GitLab CE/EE Medium Pro","link":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-5-2-released/","severity":"critical","cvss":null,"cves":["CVE-2025-11224","CVE-2025-11865","CVE-2025-2615","CVE-2025-7000","CVE-2025-6945","CVE-2025-6171","CVE-2025-11990","CVE-2025-7736","CVE-2025-12983","CVE-2024-55549","CVE-2025-24855"],"exploited":false,"has_exploit":false,"published_at":"2025-11-12T00:00:00+00:00"},{"id":"a66fbbaa-e787-4e48-93f9-9a97c2e15f3f","num":86945,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-5-1-released/","title":"GitLab Patch Release: 18.5.1, 18.4.3, 18.3.5","summary":"On October 22, 2025, we released versions 18.5.1, 18.4.3, 18.3.5 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action. GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ . You can see all of GitLab release blog posts here . For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible . When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected. Security fixes Table of security fixes Title Severity Improper access control issue in runner API impacts GitLab EE High Denial of service issue in event collection impacts GitLab CE/EE High Denial of service issue in JSON validation impacts GitLab CE/EE High Denial of service issue in upload impacts GitLab CE/EE Medium Incorrect Authorization iss","link":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-5-1-released/","severity":"critical","cvss":null,"cves":["CVE-2025-11702","CVE-2025-10497","CVE-2025-11447","CVE-2025-11974","CVE-2025-11971","CVE-2025-6601","CVE-2025-11989"],"exploited":false,"has_exploit":false,"published_at":"2025-10-22T00:00:00+00:00"},{"id":"f4f4205e-f0ab-4b9c-b4d1-8665871e7b65","num":86946,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-4-2-released/","title":"GitLab Patch Release: 18.4.2, 18.3.4, 18.2.8","summary":"On October 8, 2025, we released versions 18.4.2, 18.3.4, 18.2.8 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action. GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ . You can see all of GitLab release blog posts here . For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible . When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected. Security fixes Table of security fixes Title Severity Incorrect authorization issue in GraphQL mutations impacts GitLab EE High Denial of Service issue in GraphQL blob type impacts GitLab CE/EE High Missing authorization issue in manual jobs impacts GitLab CE/EE Medium Denial of Service issue in webhook endpoints impacts GitLab CE/EE Medium CVE-202","link":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-4-2-released/","severity":"critical","cvss":null,"cves":["CVE-2025-11340","CVE-2025-10004","CVE-2025-9825","CVE-2025-2934"],"exploited":false,"has_exploit":false,"published_at":"2025-10-08T00:00:00+00:00"},{"id":"b44098b9-8e2e-4434-926e-7ec7f9bc35b8","num":86947,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-4-1-released/","title":"GitLab Patch Release: 18.4.1, 18.3.3, 18.2.7","summary":"On September 25, 2025, we released versions 18.4.1, 18.3.3, 18.2.7 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action. GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ . You can see all of GitLab release blog posts here . For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible . When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected. Security fixes Table of security fixes Title Severity Cross-site scripting issue impacts GitLab CE/EE High Denial of Service issue when uploading specifically crafted JSON files impacts GitLab CE/EE High Denial of Service issue bypassing query complexity limits impacts GitLab CE/EE High Information disclosure issue in virtual registery configura","link":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-4-1-released/","severity":"critical","cvss":null,"cves":["CVE-2025-9642","CVE-2025-10858","CVE-2025-8014","CVE-2025-9958","CVE-2025-7691","CVE-2025-11042","CVE-2025-10871","CVE-2025-10867","CVE-2025-5069","CVE-2025-10868","CVE-2025-8713","CVE-2025-8714","CVE-2025-8715"],"exploited":false,"has_exploit":false,"published_at":"2025-09-25T00:00:00+00:00"},{"id":"4b4ebf6d-26d4-4d2c-b813-2dfe02e506df","num":86948,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-3-2-released/","title":"GitLab Patch Release: 18.3.2, 18.2.6, 18.1.6","summary":"On September 10, 2025, we released versions 18.3.2, 18.2.6, 18.1.6 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action. GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ . You can see all of GitLab release blog posts here . For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible . When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected. Security fixes Table of security fixes Title Severity Denial of Service issue in SAML Responses impacts GitLab CE/EE High Server-Side Request Forgery issue in Webhook custom header impacts GitLab CE/EE High Denial of Service issue in User-Controllable Fields impacts GitLab CE/EE Medium Denial of Service issue in endpoint file upload impacts GitL","link":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-3-2-released/","severity":"critical","cvss":null,"cves":["CVE-2025-2256","CVE-2025-6454","CVE-2025-1250","CVE-2025-7337","CVE-2025-10094","CVE-2025-6769"],"exploited":false,"has_exploit":false,"published_at":"2025-09-10T00:00:00+00:00"},{"id":"c5752e10-3b15-4f5d-a679-b52fece20922","num":86949,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-3-1-released/","title":"GitLab Patch Release: 18.3.1, 18.2.5, 18.1.5","summary":"On August 27, 2025, we released versions 18.3.1, 18.2.5, 18.1.5 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action. GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ . You can see all of GitLab release blog posts here . For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible . When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected. Security fixes Table of security fixes Title Severity Allocation of Resources Without Limits issue in import function impacts GitLab CE/EE Medium Missing authentication issue in GraphQL endpoint impacts GitLab CE/EE Medium Allocation of Resources Without Limits issue in GraphQL impacts GitLab CE/EE Medium Code injection issue in GitLab repositories","link":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-3-1-released/","severity":"critical","cvss":null,"cves":["CVE-2025-3601","CVE-2025-2246","CVE-2025-4225","CVE-2025-5101"],"exploited":false,"has_exploit":false,"published_at":"2025-08-27T00:00:00+00:00"},{"id":"62f397e3-aabc-4a01-b645-b9cdd205d84d","num":86950,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-2-4-released/","title":"GitLab Patch Release: 18.2.4","summary":"On August 18, 2025, we released versions 18.2.4 for GitLab Community Edition and Enterprise Edition. These versions resolve a number of regressions and bugs. This patch release does not include any security fixes. GitLab Community Edition and Enterprise Edition 18.2.4 Build with Go 1.24.5 Update golang-fips/go Update gitlab-shell to v14.44.0 Backport “Use projectRootPath to compose breadcrumb links” Backport “Add custom encoding for repository path for commit data” Backport ‘Fixes reviewer drawer not opening when installed under relative URL’ Backport-Invalid search request resets the project/group selections in sidebar Backport ‘Update gitlab-chart digest to 9d9e150’ Exclude deleted projects from job token authorization logs graphql and csv export service backport to 18.2 Backport ‘Add job and script to update backport MR label after deployment’ Backport of “Fix undefined method markdown_placeholders_feature_flag_enabled? for a ProjectNamespace” Backport of ‘fix missing ref attribute’ Important notes on upgrading This version does not include any new migrations, and for multi-node deployments, should not require any downtime . Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure file, which is only used for updates . Updating To update, check out our update page . Note: GitLab releases have skipped 18.2.3. There is no patch with that version number. GitLab subscriptions Access to GitLab Premium and Ultimate features is granted by a paid subscription . Alternatively, sign up for GitLab.com to use GitLab’s own infrastructure.","link":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-2-4-released/","severity":"unknown","cvss":null,"cves":[],"exploited":false,"has_exploit":false,"published_at":"2025-08-18T00:00:00+00:00"},{"id":"d09f839f-8880-458b-92fe-6ddff88db011","num":86951,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-17-11-7-released/","title":"GitLab Patch Release: 17.11.7","summary":"On August 15, 2025, we released version 17.11.7 for GitLab Community Edition and Enterprise Edition. These versions resolve a number of regressions and bugs. This patch release does not include any security fixes. GitLab Community Edition and Enterprise Edition 17.11.7 Backport ‘Replace test-on-gdk with test-on-cng in backport mr pipelines’ Quarantine failing DORA Metrics dashboard tests (target single context) Backport of “Ensure docs hugo_build CI job uses docs-gitlab-com stable branches” Backport of ‘Make sure cache is clear to prevent failure during upgrade from 17.11’ Update dependency container-registry to v4.19.2-gitlab Important notes on upgrading This version does not include any new migrations, and for multi-node deployments, should not require any downtime . Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure file, which is only used for updates . Updating To update, check out our update page . GitLab subscriptions Access to GitLab Premium and Ultimate features is granted by a paid subscription . Alternatively, sign up for GitLab.com to use GitLab’s own infrastructure.","link":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-17-11-7-released/","severity":"unknown","cvss":null,"cves":[],"exploited":false,"has_exploit":false,"published_at":"2025-08-15T00:00:00+00:00"},{"id":"c5704576-69a9-454d-a8c6-164168e2e529","num":86952,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-2-2-released/","title":"GitLab Patch Release: 18.2.2, 18.1.4, 18.0.6","summary":"On August 13, 2025, we released versions 18.2.2, 18.1.4, 18.0.6 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action. GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ . You can see all of GitLab release blog posts here . For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible . When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected. Security fixes Table of security fixes Title Severity Cross-site scripting issue in blob viewer impacts GitLab CE/EE High Cross-site scripting issue in labels impacts GitLab CE/EE High Cross-site scripting issue in Workitem impacts GitLab CE/EE High Improper Handling of Permissions issue in project API impacts GitLab CE/EE High Incorrect Privilege","link":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-2-2-released/","severity":"critical","cvss":null,"cves":["CVE-2025-7734","CVE-2025-7739","CVE-2025-6186","CVE-2025-8094","CVE-2024-12303","CVE-2025-2614","CVE-2024-10219","CVE-2025-8770","CVE-2025-2937","CVE-2025-1477","CVE-2025-5819","CVE-2025-2498"],"exploited":false,"has_exploit":false,"published_at":"2025-08-13T00:00:00+00:00"},{"id":"7507c161-ec08-41bc-a039-f66a0e270919","num":86953,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-2-1-released/","title":"GitLab Patch Release: 18.2.1, 18.1.3, 18.0.5","summary":"On July 23, 2025, we released versions 18.2.1, 18.1.3, 18.0.5 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action. GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ . You can see all of GitLab release blog posts here . For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible . When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected. Security fixes Table of security fixes Title Severity Cross-site scripting (XSS) impacts k8s proxy in GitLab CE/EE High Cross-site scripting (XSS) impacts k8s proxy in GitLab CE/EE using CDNs High Exposure of Sensitive Information to an Unauthorized Actor issue impacts GitLab CE/EE Medium Improper Access Control issue impacts GitLab EE Medium Exposur","link":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-2-1-released/","severity":"critical","cvss":null,"cves":["CVE-2025-4700","CVE-2025-4439","CVE-2025-7001","CVE-2025-4976","CVE-2025-0765","CVE-2025-1299"],"exploited":false,"has_exploit":false,"published_at":"2025-07-23T00:00:00+00:00"},{"id":"6f195b66-2e3c-4f84-a3e7-b96cd96992f4","num":86954,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-1-2-released/","title":"GitLab Patch Release: 18.1.2, 18.0.4, 17.11.6","summary":"On July 9, 2025, we released versions 18.1.2, 18.0.4, 17.11.6 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action. GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ . You can see all of GitLab release blog posts here . For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible . When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected. Security fixes Table of security fixes Title Severity Cross-site scripting issue impacts GitLab CE/EE High Incorrect authorization issue impacts GitLab CE/EE Medium Incorrect authorization issue impacts GitLab EE Low Incorrect authorization issue impacts GitLab EE Low CVE-2025-6948 - Cross-site scripting issue impacts GitLab CE/EE GitLab has remediat","link":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-1-2-released/","severity":"critical","cvss":null,"cves":["CVE-2025-6948","CVE-2025-3396","CVE-2025-4972","CVE-2025-6168","CVE-2024-12084","CVE-2024-12088"],"exploited":false,"has_exploit":false,"published_at":"2025-07-09T00:00:00+00:00"},{"id":"42e3d25b-b83e-46db-9a3c-4de441e1785c","num":86955,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-1-1-released/","title":"GitLab Patch Release: 18.1.1, 18.0.3, 17.11.5","summary":"On June 25, 2025, we released versions 18.1.1, 18.0.3, 17.11.5 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action. GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ . You can see all of GitLab release blog posts here . For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible . When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected. Security fixes Table of security fixes Title Severity Denial of Service impacts GitLab CE/EE Medium Missing Authentication issue impacts GitLab CE/EE Medium Improper access control issue impacts GitLab CE/EE Medium Elevation of Privilege impacts GitLab CE/EE Low Improper access control issue impacts GitLab EE Low CVE-2025-3279 - Denial of Service im","link":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-1-1-released/","severity":"critical","cvss":null,"cves":["CVE-2025-3279","CVE-2025-1754","CVE-2025-5315","CVE-2025-2938","CVE-2025-5846"],"exploited":false,"has_exploit":false,"published_at":"2025-06-25T00:00:00+00:00"},{"id":"b7c1652b-e5e5-44cd-a147-1fd61269ec95","num":86956,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-0-2-released/","title":"GitLab Patch Release: 18.0.2, 17.11.4, 17.10.8","summary":"On June 11, 2025, we released versions 18.0.2, 17.11.4, 17.10.8 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action. GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook page and security FAQ . You can see all of GitLab’s release blog posts here . For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible . When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected. Security fixes Table of security fixes Title Severity HTML injection impacts GitLab CE/EE High Cross-site scripting issue impacts GitLab CE/EE High Missing authorization issue impacts GitLab Ultimate EE High Denial of Service impacts GitLab CE/EE High Denial of Service via unbounded Webhook token names impacts GitLab CE/EE Medium Denial of S","link":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-0-2-released/","severity":"critical","cvss":null,"cves":["CVE-2025-4278","CVE-2025-2254","CVE-2025-5121","CVE-2025-0673","CVE-2025-1516","CVE-2025-1478","CVE-2024-9512","CVE-2025-5996","CVE-2025-5195","CVE-2025-5982"],"exploited":false,"has_exploit":false,"published_at":"2025-06-11T00:00:00+00:00"},{"id":"0f333020-e6f4-47ef-84cb-63619d8eeb73","num":86957,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-0-1-released/","title":"GitLab Patch Release: 18.0.1, 17.11.3, 17.10.7","summary":"On May 21, 2025, we released versions 18.0.1, 17.11.3, 17.10.7 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action. GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ . You can see all of GitLab release blog posts here . For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible . When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected. Security fixes Table of security fixes Title Severity Unprotected large blob endpoint in GitLab allows Denial of Service High Improper XPath validation allows modified SAML response to bypass 2FA requirement Medium A Discord webhook integration may cause DoS Medium Unbounded Kubernetes cluster tokens may lead to DoS Medium Unvalidated note","link":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-0-1-released/","severity":"critical","cvss":null,"cves":["CVE-2025-0993","CVE-2024-12093","CVE-2024-7803","CVE-2025-3111","CVE-2025-2853","CVE-2025-4979","CVE-2025-0605","CVE-2025-0679","CVE-2024-9163","CVE-2025-1110"],"exploited":false,"has_exploit":false,"published_at":"2025-05-21T00:00:00+00:00"},{"id":"40f9859b-4704-412a-b850-23fa03c76be0","num":86958,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-17-11-2-released/","title":"GitLab Patch Release: 17.11.2, 17.10.6, 17.9.8","summary":"On May 7, 2025, we released versions 17.11.2, 17.10.6, 17.9.8 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action. GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ . You can see all of GitLab release blog posts here . For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible . When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected. Security fixes Table of security fixes Title Severity Partial Bypass for Device OAuth flow using Cross Window Forgery Medium Denial of service by abusing Github import API Medium Group IP restriction bypass allows disclosing issue title of restricted project Medium Partial Bypass for Device OAuth flow using Cross Window Forgery An issue has","link":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-17-11-2-released/","severity":"critical","cvss":null,"cves":["CVE-2025-0549","CVE-2024-8973","CVE-2025-1278"],"exploited":false,"has_exploit":false,"published_at":"2025-05-07T00:00:00+00:00"},{"id":"2b07ebea-1d61-43c7-a7c2-f68c0d1d5edf","num":86959,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-17-11-1-released/","title":"GitLab Patch Release: 17.11.1, 17.10.5, 17.9.7","summary":"On April 23, 2025, we released versions 17.11.1, 17.10.5, 17.9.7 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action. GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ . You can see all of GitLab release blog posts here . For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible . When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected. Security fixes Table of security fixes Title Severity Cross Site Scripting (XSS) in Maven Dependency Proxy through CSP directives High Cross Site Scripting (XSS) in Maven dependency proxy through cache headers High Network Error Logging (NEL) Header Injection in Maven Dependency Proxy Allows Browser Activity Monitoring High Denial of ser","link":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-17-11-1-released/","severity":"critical","cvss":null,"cves":["CVE-2025-1763","CVE-2025-2443","CVE-2025-1908","CVE-2025-0639","CVE-2024-12244"],"exploited":false,"has_exploit":false,"published_at":"2025-04-23T00:00:00+00:00"},{"id":"124bccbb-5627-4a94-ac4a-92dd653fe936","num":86960,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-17-10-4-released/","title":"GitLab Patch Release: 17.10.4, 17.9.6, 17.8.7","summary":"On April 9, 2025, we released versions 17.10.4, 17.9.6, 17.8.7 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action. GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ . You can see all of GitLab release blog posts here . For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible . When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected. Security fixes Table of security fixes Title Severity Denial of service via CI pipelines Medium Unintentionally authorizing sensitive actions on users behalf Medium IP Restriction Bypass through GraphQL Subscription Medium Unauthorized users can list the number of confidential issues Medium Debugging Information Disclosed Low Denial of ser","link":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-17-10-4-released/","severity":"critical","cvss":null,"cves":["CVE-2025-1677","CVE-2025-0362","CVE-2025-2408","CVE-2024-11129","CVE-2025-2469"],"exploited":false,"has_exploit":false,"published_at":"2025-04-09T00:00:00+00:00"},{"id":"69376549-1fec-4a1d-b66c-f241aa6d7369","num":86961,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-17-10-3-released/","title":"GitLab Patch Release: 17.10.3","summary":"On April 2, 2025, we released versions 17.10.3 for GitLab Community Edition and Enterprise Edition. These versions resolve a number of regressions and bugs. This patch release does not include any security fixes. GitLab Community Edition and Enterprise Edition 17.10.3 CI: Use gcr mirror in DinD (17.10 Backport) No-op ci_runner_machines_687967fa8a batched migrations - 17.10 backport Ensure runner taggings are copied from taggings Fix free push limit on non-saas Backport fix in libarchive for CI CI: Use gcr mirror for DinD (17.10 Backport) [17.10 Backport] Check packages does not have .dind job in scope Important notes on upgrading This version includes new post deployment migrations, and for multi-node deployments, should not require any downtime . Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure file, which is only used for updates . Updating To update, check out our update page . Note: GitLab releases have skipped 17.10.2. There is no patch with that version number. GitLab subscriptions Access to GitLab Premium and Ultimate features is granted by a paid subscription . Alternatively, sign up for GitLab.com to use GitLab’s own infrastructure.","link":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-17-10-3-released/","severity":"unknown","cvss":null,"cves":[],"exploited":false,"has_exploit":false,"published_at":"2025-04-02T00:00:00+00:00"},{"id":"40fa9f6a-075f-4ad2-999c-3eb93b8aab6b","num":86962,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-17-9-5-released/","title":"GitLab Patch Release: 17.9.5","summary":"On April 2, 2025, we released versions 17.9.5 for GitLab Community Edition and Enterprise Edition. These versions resolve a number of regressions and bugs. This patch release does not include any security fixes. GitLab Community Edition and Enterprise Edition 17.9.5 CI: Use gcr mirror in DinD (17.9 Backport) No-op ci_runner_machines_687967fa8a batched migrations - 17.9 backport Ensure runner taggings are copied from taggings Backport fix in libarchive for CI CI: Use gcr mirror for DinD (17.9 Backport) Important notes on upgrading This version includes new post deployment migrations, and for multi-node deployments, should not require any downtime . Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure file, which is only used for updates . Updating To update, check out our update page . Note: GitLab releases have skipped 17.9.4. There is no patch with that version number. GitLab subscriptions Access to GitLab Premium and Ultimate features is granted by a paid subscription . Alternatively, sign up for GitLab.com to use GitLab’s own infrastructure.","link":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-17-9-5-released/","severity":"unknown","cvss":null,"cves":[],"exploited":false,"has_exploit":false,"published_at":"2025-04-02T00:00:00+00:00"},{"id":"42eac283-0fbf-4262-bf0c-9be2d22a0a27","num":86963,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-17-10-1-released/","title":"GitLab Patch Release: 17.10.1, 17.9.3, 17.8.6","summary":"On March 26, 2025, we released versions 17.10.1, 17.9.3, 17.8.6 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action. GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ . You can see all of GitLab release blog posts here . For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible . When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected. Security fixes Table of security fixes Title Severity Cross-site Scripting (XSS) through merge-request error messages High Cross-site Scripting (XSS) through improper rendering of certain file types High Admin Privileges Persists After Role is Revoked High External user can access internal projects Medium Prompt injection in Amazon Q inte","link":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-17-10-1-released/","severity":"critical","cvss":null,"cves":["CVE-2025-2255","CVE-2025-0811","CVE-2025-2242","CVE-2024-12619","CVE-2024-10307","CVE-2024-9773"],"exploited":false,"has_exploit":false,"published_at":"2025-03-26T00:00:00+00:00"},{"id":"ffdea8ea-306b-4879-a969-1cd98a901807","num":86964,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-17-9-2-released/","title":"GitLab Critical Patch Release: 17.9.2, 17.8.5, 17.7.7","summary":"On March 12, 2025, we released versions 17.9.2, 17.8.5, 17.7.7 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action and will be notified once their instance has been patched. GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ . You can see all of GitLab release blog posts here . For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible . When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected. Security fixes Table of security fixes Title Severity CVE-2025-25291 and CVE-2025-25292 (third party gem ruby-saml ) Critical CVE-2025-27407 (third party gem graphql ) High Denial of Service Due to Inefficient Processing of Untrusted Input Medium Credentials disclosed when repositor","link":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-17-9-2-released/","severity":"critical","cvss":null,"cves":["CVE-2025-25291","CVE-2025-25292","CVE-2025-27407","CVE-2024-13054","CVE-2024-12380","CVE-2025-1257","CVE-2025-0652","CVE-2024-8402","CVE-2024-7296"],"exploited":false,"has_exploit":false,"published_at":"2025-03-12T00:00:00+00:00"},{"id":"79386579-6006-4622-9b01-19ba5d44df84","num":86965,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-17-9-1-released/","title":"GitLab Patch Release: 17.9.1, 17.8.4, 17.7.6","summary":"On February 26, 2025, we released versions 17.9.1, 17.8.4, 17.7.6 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action. GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ . You can see all of GitLab release blog posts here . For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible . When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected. Security fixes Table of security fixes Title Severity XSS in k8s proxy endpoint High XSS Maven Dependency Proxy High HTML injection leads to XSS on self hosted instances Medium Improper Authorisation Check Allows Guest User to Read Security Policy Medium Planner role can read code review analytics in Private Projects Medium XSS in k8s p","link":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-17-9-1-released/","severity":"critical","cvss":null,"cves":["CVE-2025-0475","CVE-2025-0555","CVE-2024-8186","CVE-2024-10925","CVE-2025-0307"],"exploited":false,"has_exploit":false,"published_at":"2025-02-26T00:00:00+00:00"},{"id":"426fd627-2dd1-405b-95e7-0aa7b4d4d520","num":86966,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-17-8-2-released/","title":"GitLab Patch Release: 17.8.2, 17.7.4, 17.6.5","summary":"On February 12, 2025, we released versions 17.8.2, 17.7.4, 17.6.5 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action. GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ . You can see all of GitLab release blog posts here . For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible . When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected. Security fixes Table of security fixes Title Severity A CSP-bypass XSS in merge-request page High Denial of Service due to Unbounded Symbol Creation Medium Exfiltrate content from private issues using Prompt Injection Medium Internal HTTP header leak via route confusion in workhorse Medium SSRF via workspaces Medium Unauthorized Inciden","link":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-17-8-2-released/","severity":"critical","cvss":null,"cves":["CVE-2025-0376","CVE-2024-12379","CVE-2024-3303","CVE-2025-1212","CVE-2024-9870","CVE-2025-0516","CVE-2025-1198","CVE-2025-1042","CVE-2025-1540"],"exploited":false,"has_exploit":false,"published_at":"2025-02-12T00:00:00+00:00"},{"id":"74a9a5c1-fabe-4790-908a-8518bcbf9e69","num":86967,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-17-8-1-released/","title":"GitLab Patch Release: 17.8.1, 17.7.3, 17.6.4","summary":"On January 22, 2025, we released versions 17.8.1, 17.7.3, 17.6.4 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action. GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ . You can see all of GitLab release blog posts here . For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible . When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected. Security fixes Table of security fixes Title Severity Stored XSS via Asciidoctor render High Developer could exfiltrate protected CI/CD variables via CI lint Medium Cyclic reference of epics leads resource exhaustion Medium Stored XSS via Asciidoctor render An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 bef","link":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-17-8-1-released/","severity":"critical","cvss":null,"cves":["CVE-2025-0314","CVE-2024-11931","CVE-2024-6324"],"exploited":false,"has_exploit":false,"published_at":"2025-01-22T00:00:00+00:00"},{"id":"637d978f-4938-45b1-b42a-ab892a8f7852","num":86968,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-17-7-2-released/","title":"GitLab Patch Release: 17.7.2","summary":"On January 15, 2025, we released versions 17.7.2 for GitLab Community Edition and Enterprise Edition. These versions resolve a number of regressions and bugs. This patch release does not include any security fixes. GitLab Community Edition and Enterprise Edition 17.7.2 Merge branch ‘azcopy-url-20250108’ into ‘17-7-stable’ Fixes issue where some merge request diffs with associated comments were not visible. This does not correct the display issue for existing records, but does prevent new instances of this occurrence. Remove download_code dependency from access to read merge requests Fix handling of short gzip metadata files Important notes on upgrading If you had previously upgraded to GitLab 17.7.0 or 17.7.1 this patch is recommended to prevent any further occurrences of merge request comments being unable to be displayed. A future release will correct the display issue for affected records. This version does not include any new migrations, and for multi-node deployments, should not require any downtime . Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure file, which is only used for updates . Updating To update, check out our update page . GitLab subscriptions Access to GitLab Premium and Ultimate features is granted by a paid subscription . Alternatively, sign up for GitLab.com to use GitLab’s own infrastructure. We’re combining patch and security releases This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here .","link":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-17-7-2-released/","severity":"unknown","cvss":null,"cves":[],"exploited":false,"has_exploit":false,"published_at":"2025-01-15T00:00:00+00:00"},{"id":"78b08068-3cab-4769-8b1c-b880f643fdfe","num":86969,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-17-7-1-released/","title":"GitLab Patch Release: 17.7.1, 17.6.3, 17.5.5","summary":"On January 8, 2025, we released versions 17.7.1, 17.6.3, 17.5.5 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action. GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ . You can see all of GitLab release blog posts here . For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Changes to Imports GitLab released a new user contribution and membership mapping feature for GitLab importers, including Direct Transfer, GitHub, Bitbucket Server, and Gitea importers. This feature is available by default from GitLab 17.7.1. More information on the feature and availability can be found in a blog post and in the documentation here . Why GitLab changed its importer functionality Vulnerabilities ( CVE-2024-5655 , CVE-2024-6385 , CVE-2024-6678 , CVE-2024-8970 ) affecting import functionality were discovered through our HackerOne bug bounty program. To address these vulnerabilities and further enhance security, GitLab redesigned the","link":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-17-7-1-released/","severity":"critical","cvss":null,"cves":["CVE-2024-5655","CVE-2024-6385","CVE-2024-6678","CVE-2024-8970","CVE-2025-0194","CVE-2024-6324","CVE-2024-12431","CVE-2024-13041"],"exploited":false,"has_exploit":false,"published_at":"2025-01-08T00:00:00+00:00"},{"id":"48942535-4820-410d-aa84-97add4623584","num":86970,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-17-6-2-released/","title":"GitLab Patch Release: 17.6.2, 17.5.4, 17.4.6","summary":"On December 11, 2024, we released versions 17.6.2, 17.5.4, 17.4.6 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action. GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ . You can see all of GitLab release blog posts here . For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible . When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected. Security fixes Table of security fixes Title Severity Injection of Network Error Logging (NEL) headers in kubernetes proxy response could lead to account takeover abusing OAuth flows High Denial of Service by repeatedly sending unauthenticated requests for diff-files High CI_JOB_TOKEN could be used to obtain GitLab session Medium Open r","link":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-17-6-2-released/","severity":"critical","cvss":null,"cves":["CVE-2024-11274","CVE-2024-8233","CVE-2024-12570","CVE-2024-9387","CVE-2024-8647","CVE-2024-8179","CVE-2024-8116","CVE-2024-8650","CVE-2024-9367","CVE-2024-12292","CVE-2024-10043","CVE-2024-9633"],"exploited":false,"has_exploit":false,"published_at":"2024-12-11T00:00:00+00:00"},{"id":"17bd7cfe-a97e-4e8a-a331-8c21066ca38d","num":86971,"source_id":"gitlab","external_id":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-17-6-1-released/","title":"GitLab Patch Release: 17.6.1, 17.5.3, 17.4.5","summary":"On November 26, 2024, we released versions 17.6.1, 17.5.3, 17.4.5 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action. GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ . You can see all of GitLab release blog posts here . For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible . When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected. Security fixes Table of security fixes Title Severity Privilege Escalation via LFS Tokens High DoS through uncontrolled resource consumption when viewing a maliciously crafted cargo.toml file. Medium Unintended access to Usage Data via Scoped Tokens Medium Gitlab DOS via Harbor registry integration Medium Resource exhaustion and denial","link":"https://docs.gitlab.com/releases/patches/patch-release-gitlab-17-6-1-released/","severity":"critical","cvss":null,"cves":["CVE-2024-8114","CVE-2024-8237","CVE-2024-11669","CVE-2024-8177","CVE-2024-11828","CVE-2024-11668"],"exploited":false,"has_exploit":false,"published_at":"2024-11-26T00:00:00+00:00"}]}