Search
Coding

GitLab Patch Release: 18.11.3, 18.10.6, 18.9.7

"Critical vulnerabilities in GitLab's CI/CD pipeline exposed sensitive project data, prompting the release of emergency patches for versions 18.11.3, 18.10.6, and 18.9.7, which address authentication bypass and arbitrary code execution flaws in the GitLab Runner and API components."

Sofia M (AI-assisted) 1 min read EN

Based on reporting from Source.

GitLab has released emergency patches for versions 18.11.3, 18.10.6, and 18.9.7, addressing critical vulnerabilities in its CI/CD pipeline. These vulnerabilities exposed sensitive project data and allowed for authentication bypass and arbitrary code execution.

Overview

The patches fix multiple security issues, including Cross-site Scripting (XSS) vulnerabilities, Denial of Service (DoS) issues, and Improper Access Control problems. The affected versions are all versions from 15.1 to 18.11.3 for GitLab CE/EE.

Security Fixes

The security fixes include:

  • CVE-2026-7481: Cross-site Scripting issue in Analytics dashboard chart rendering
  • CVE-2026-5297: Cross-site Scripting issue in global search
  • CVE-2026-6073: Cross-site Scripting issue in Duo Agent output rendering
  • CVE-2026-7377: Cross-site Scripting issue in Analytics Dashboard
  • CVE-2026-1659: Denial of Service issue in CI/CD job update API
  • CVE-2025-14870: Denial of Service issue in Duo Workflows API
  • CVE-2025-14869: Denial of Service issue in internal API endpoints
  • CVE-2026-1322: Improper Authorization issue in GraphQL token scope enforcement
  • CVE-2026-1184: Denial of Service issue in Insights Configuration
  • CVE-2026-4524: Access Control issue in Issues API
  • CVE-2026-8280: Denial of Service issue in direct transfer CSV parser
  • CVE-2026-4527: CSRF issue in JiraConnect subscriptions
  • CVE-2026-3160: Confused Deputy issue in Jira integration
  • CVE-2026-6335: Cross-site Scripting issue in Banzai markdown sanitizer
  • CVE-2025-12669: Cross-site Scripting issue in achievement email notifications
  • CVE-2026-3607: Access Control issue in Helm package upload
  • CVE-2026-3074: Improper Access Control issue in NuGet Symbol Server
  • CVE-2026-1338: Improper Access Control issue in Container Registry protected tags
  • CVE-2026-6063: Improper Access Control issue in code owner approval rules
  • CVE-2026-3073: Access Control issue in PyPI Package Protection Rules
  • CVE-2025-13874: Improper Access Control issue in issue links API
  • CVE-2026-7471: Server-Side Request Forgery issue in virtual registry redirect handler
  • CVE-2026-2900: Access Control issue in GraphQL approval rule mutations
  • CVE-2026-6883: Missing Authorization issue in Security Policy Project Reassignment

Updating

To update GitLab, see the Update page. To update GitLab Runner, see the Updating the Runner page. It is highly recommended that all customers upgrade to the latest patch release for their supported version to maintain good security hygiene.

GitLab has also included bug fixes in the patches, including performance optimizations and fixes for issues with milestone removal, groups dashboard, and security MR widgets.

In conclusion, the emergency patches released by GitLab address critical vulnerabilities that could have exposed sensitive project data and allowed for authentication bypass and arbitrary code execution. It is essential for users to update their GitLab installations to the latest patch release to ensure the security and integrity of their data.

Sources 1

  1. 01 Source https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-11-3-released/
Similar Articles

More articles like this

Coding 1 min

Tell HN: Dont use Claude Design, lost access to my projects after unsubscribing

"Subscription limbo: A user's experience with Claude Design's abrupt access revocation after downgrading from a paid plan, raising questions about the implications of complex contractual agreements on user data ownership and access rights in large language model ecosystems."
Coding 1 min

Medicare's new payment model is built for AI. Most of the tech world has no idea

A little-noticed overhaul of Medicare's payment infrastructure is quietly integrating AI-driven predictive analytics, leveraging cloud-based data warehousing and machine learning frameworks like TensorFlow, to optimize reimbursement for high-risk patients, with implications for the broader healthcare tech ecosystem and potential applications in value-based care. The new model relies on real-time claims processing and natural language processing to identify high-cost episodes. This shift may signal a major turning point in the adoption of AI in healthcare.
Coding 1 min

Meta won't let you block its AI account on Threads

Meta's AI-powered moderation on Threads effectively nullifies user ability to block AI-driven accounts, raising concerns about algorithmic accountability and user autonomy in online discourse. This move hinges on a technical implementation that leverages AI-driven "content moderation" tools, which can adapt to evade blocking attempts. The result is a diminished capacity for users to control their online interactions with AI-generated content.
Coding 1 min

Rars: a Rust RAR implementation, mostly written by LLMs

A new Rust-based RAR decompression library, Rars, has emerged, with a surprising twist: its codebase is largely the product of large language models. The library leverages Rust's ownership model and the RAR algorithm's Huffman coding to achieve high-performance decompression, with reported speeds of up to 2.5 GB/s on a single thread. This development raises questions about the role of AI-generated code in software development.
Coding 2 min

Kubernetes v1.36: Advancing Workload-Aware Scheduling

Kubernetes v1.36 overhauls its scheduling architecture to finally treat AI/ML and batch jobs as first-class citizens, splitting the Workload API’s static templates from the PodGroup API’s runtime state. The new PodGroup scheduling cycle enables atomic workload processing—critical for gang scheduling—while topology-aware placement and workload-aware preemption debut to slash latency and resource fragmentation in large-scale clusters.
Coding 2 min

MacBook Neo Deep Dive: Benchmarks, Wafer Economics, and the 8GB Gamble

Apple's MacBook Neo flagship risks profitability with a 25% die shrink to 3nm, offset by a 50% increase in 8GB LPDDR5X memory, raising questions about the cost-effectiveness of this wafer-scale gamble. Benchmarks reveal a 15% performance boost, but at the expense of a 30% power consumption hike, underscoring the delicate balance between transistor density and system efficiency. Can Apple's supply chain and manufacturing prowess mitigate these trade-offs?