GitLab Patch Release: 18.1.1, 18.0.3, 17.11.5

Today, we are releasing versions 18.1.1, 18.0.3, 17.11.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.

GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.

For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.

We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.

Recommended Action

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.

Security fixes

Table of security fixes

Title	Severity
Denial of Service impacts GitLab CE/EE	Medium
Missing Authentication issue impacts GitLab CE/EE	Medium
Improper access control issue impacts GitLab CE/EE	Medium
Elevation of Privilege impacts GitLab CE/EE	Low
Improper access control issue impacts GitLab EE	Low

CVE-2025-3279 - Denial of Service impacts GitLab CE/EE

GitLab has remediated an issue that, under certain conditions, could have allowed authenticated attackers to create a DoS condition by sending crafted GraphQL requests.

Impacted Versions: GitLab CE/EE: all versions from 10.7 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1.
CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program.

CVE-2025-1754 - Missing Authentication issue impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed unauthenticated attackers to upload arbitrary files to public projects by sending crafted API requests, potentially leading to resource abuse and unauthorized content storage.

Impacted Versions: GitLab CE/EE: all versions from 17.2 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1.
CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Thanks abdelrahman_maged for reporting this vulnerability through our HackerOne bug bounty program.

CVE-2025-5315 - Improper access control issue impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed authenticated users with Guest role permissions to add child items to incident work items by sending crafted API requests that bypassed UI-enforced role restrictions.

Impacted Versions: GitLab CE/EE: all versions from 17.2 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1.
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

Thanks rhidayahh for reporting this vulnerability through our HackerOne bug bounty program.

CVE-2025-2938 - Elevation of Privilege impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed authenticated users to gain elevated project privileges by requesting access to projects where role modifications during the approval process resulted in unintended permission grants.

Impacted Versions: GitLab CE/EE: all versions from 17.3 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1.
CVSS: 3.1 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N)

Thanks mateuszek for reporting this vulnerability through our HackerOne bug bounty program.

CVE-2025-5846 - Improper access control issue impacts GitLab EE

GitLab has remediated an issue that could have allowed authenticated users to assign unrelated compliance frameworks to projects by sending crafted GraphQL mutations that bypassed framework-specific permission checks.

Impacted Versions: GitLab EE: all versions from 16.10 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1
CVSS: 2.7 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N)

This vulnerability was reported internally by a GitLab team member, Joern Schneeweisz.

Bug fixes

18.1.1

• (Backport to 18.1) fix: Don't unset IMAGE_TAG_EXT passed by gitlab-org/gitlab
• Backport: Drop ubi-assets-release CI job
• [backport] 18.1: Merge branch 'dj-exclude-stable-branch-coverage' into 'master'
• fix: Backport fix on git over ssh
• Check if Amazon Q should be enabled at project level

18.0.3

• [backport] Fix line number in zoekt response
• Restrict LFS file download to project-bound objects
• Backport "E2E test: account for Duo Core behaviour in code suggestion tests"
• Backport "E2E test: disable elasticsearch omnibus jobs"
• Backport "Fix Self Hosted Duo Beta features not being available" to 18.0
• Backport 'Move up release-environments stage in CI' to 18-0-stable-ee
• Projects::TransferService should be more reliable
• Merge branch 'jmc-549650' into 'master'
• backport 'tbulva-zoekt-flashing-no-results' into 18.0
• Merge branch 'tbulva-search-page-scope-fix' into 'master'
• Backport attribute_methods.rb
• Backport "Fix losing wiki comments on some wiki page slug changes"
• Backport to 18.0: Set glab version for release QA tests
• Backport vulnerability_namespace_historical_statistic fix to 18.0
• [backport] 18.0: Merge branch 'dj-exclude-stable-branch-coverage' into 'master'
• Support markdown anchors and multi-line in permalink
• fix: Backport fix on git over ssh
• Backport flaky logger test fix
• Revert "Merge branch 'backport-bugfix-restrict-LFS-download–18-0' into '18-0-stable-ee'"
• Merge branch 'dattang/build-internal-release-qa-image' into '18-0-stable-ee'

17.11.5

• Merge branch '350883-update-to-use-live-trace-application-setting' into '17-11-stable'
• Restrict LFS file download to project-bound objects
• Backport 'Move up release-environments stage in CI' to 17-11-stable-ee
• Merge branch 'jmc-549650' into '17-11-stable-ee'
• Backport 'Update Import::ValidateRemoteGitEndpoint Service'
• Backport to 17.11: Set glab version for release QA tests
• Backport vulnerability_namespace_historical_statistic fix to 17.11
• [backport] 17.11: Merge branch 'dj-exclude-stable-branch-coverage' into 'master'
• fix: Backport fix on git over ssh
• Revert "Merge branch 'backport-bugfix-restrict-LFS-download–17-11' into '17-11-stable-ee'"
• Merge branch 'dattang/build-internal-release-qa-image' into 'master'
• [Backport - 17.11.x] Removing postponed deprecation from omnibus

Updating

To update GitLab, see the Update page. To update GitLab Runner, see the Updating the Runner page.

Receive Patch Notifications

To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.