GitLab Security Update Strengthens Defenses Against High-Severity CVE-2026-5173 and Eleven Additional Vulnerabilities
GitLab has announced a significant security update aimed at mitigating a range of vulnerabilities affecting both its Community Edition (CE) and Enterprise Edition (EE) platforms. This update addresses multiple flaws, including high-severity issues that could potentially disrupt services or allow unauthorized access to system functionalities.
The urgency of this update is particularly pronounced for organizations utilizing self-managed GitLab environments, where system administrators bear the responsibility for applying patches and ensuring robust security measures.
Importance of Timely Updates
Failure to implement this security update could expose systems to known threats, including the critical CVE-2026-5173 vulnerability. This patch not only enhances access controls but also reduces risks associated with denial-of-service (DoS) attacks, data exposure, and improper authorization checks. GitLab has strongly urged all affected users to upgrade to the latest versions without delay to safeguard their environments from potential exploitation.
Critical Vulnerabilities Addressed
The security update specifically targets a high-severity vulnerability identified as CVE-2026-5173, which affects websocket connections. This vulnerability could enable an authenticated attacker to bypass access controls and invoke unintended server-side methods. With a CVSS score of 8.5, it poses a serious risk to affected environments.
Discovered by GitLab team member Simon Tomlinson, this vulnerability impacts GitLab CE/EE versions from 16.9.6 prior to 18.8.9, version 18.9 before 18.9.5, and version 18.10 before 18.10.3. The latest security patch resolves this issue, along with several others.
Patch Releases and Affected Versions
The GitLab security update includes patched versions 18.10.3, 18.9.5, and 18.8.9. The official release statement emphasized the importance of these updates:
“Today, we are releasing versions 18.10.3, 18.9.5, and 18.8.9 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately.”
GitLab has confirmed that users of GitLab.com and GitLab Dedicated services are already protected and do not need to take any action.
Twelve Vulnerabilities Addressed
This security update resolves a total of twelve vulnerabilities, ranging from high to low severity. In addition to CVE-2026-5173, several denial-of-service vulnerabilities were identified:
- CVE-2026-1092: A DoS issue in the Terraform state lock API caused by improper JSON validation (CVSS 7.5).
- CVE-2025-12664: A DoS vulnerability in the GraphQL API that could be triggered through repeated queries (CVSS 7.5).
- CVE-2026-1403: A CSV import flaw allowing authenticated users to disrupt Sidekiq workers (CVSS 6.5).
- CVE-2026-1101: A GraphQL SBOM API issue affecting GitLab EE, also enabling DoS attacks (CVSS 6.5).
In addition to these high-severity vulnerabilities, several medium-severity flaws were also patched:
- CVE-2026-1516: A code injection issue in Code Quality reports that could expose user IP addresses (CVSS 5.7).
- CVE-2026-4332: A cross-site scripting vulnerability in analytics dashboards (CVSS 5.4).
- CVE-2026-2619: Incorrect authorization in the vulnerability flags AI detection API (CVSS 4.3).
- CVE-2025-9484: Information disclosure via GraphQL queries (CVSS 4.3).
- CVE-2026-1752: Improper access control in the Environments API (CVSS 4.3).
- CVE-2026-2104: Information disclosure through CSV export (CVSS 4.3).
A low-severity issue, CVE-2026-4916, was also addressed, involving missing authorization checks in custom role permissions (CVSS 2.7). Many of these vulnerabilities were reported through GitLab’s HackerOne bug bounty program, showcasing contributions from various researchers.
Bug Fixes and Stability Improvements
Beyond security enhancements, the update also includes a wide array of bug fixes across all three versions. These improvements address issues such as failed Git operations for deploy keys on Geo sites, performance optimizations in migration helpers, and compatibility fixes for Amazon Linux 2023.
Other fixes include resolving flaky test cases, improving dependency proxy access, and addressing regressions in project archiving and deletion workflows. These updates aim to enhance overall platform stability alongside the security patch.
Upgrade Guidance and Deployment Notes
GitLab has emphasized that no new migrations are included in these releases, meaning multi-node deployments should not require downtime. However, by default, Omnibus packages will stop services, run migrations, and restart during upgrades unless configured otherwise via the /etc/gitlab/skip-auto-reconfigure file.
The company also noted that certain package builds, such as SLES 12.5 for versions 18.10.3 and 18.9.5, are not included in this release. Additionally, GitLab confirmed that version numbers 18.10.2, 18.9.4, and 18.8.8 were skipped, with no patches issued under those versions.
For further details, visit the official update page. Source: thecyberexpress.com
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
