GitLab Patch Release: 18.6.1, 18.5.3, 18.4.5

Today, we are releasing versions 18.6.1, 18.5.3, 18.4.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.

GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.

For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.

We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.

Recommended Action

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.

Security fixes

Table of security fixes

Title	Severity
Race condition issue in CI/CD cache impacts GitLab CE/EE	High
Denial of Service issue in JSON input validation middleware impacts GitLab CE/EE	High
Authentication bypass issue in account registration impacts GitLab CE/EE	Medium
Denial of Service issue in HTTP response processing impacts GitLab CE/EE	Medium
Improper authorization issue in markdown rendering impacts GitLab EE	Medium
Information disclosure issue in terraform registry impacts GitLab CE/EE	Low

CVE-2024-9183 - Race condition issue in CI/CD cache impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an authenticated user to obtain credentials from higher-privileged users and perform actions in their context under specific conditions.

Impacted Versions: GitLab CE/EE: all versions from 18.4 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1
CVSS 7.7 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N)

Thanks ninjafit for reporting this vulnerability through our HackerOne bug bounty program

CVE-2025-12571 - Denial of Service issue in JSON input validation middleware impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an unauthenticated user to cause a Denial of Service condition by sending specifically crafted requests containing malicious JSON payloads.

Impacted Versions: GitLab CE/EE: all versions from 17.10 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program

CVE-2025-12653 - Authentication bypass issue in account registration impacts GitLab CE/EE

GitLab has remediated an issue that under specific conditions could have allowed an unauthenticated user to join arbitrary organizations by changing headers on some requests.

Impacted Versions: GitLab CE/EE: all versions from 18.3 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program

CVE-2025-7449 - Denial of Service issue in HTTP response processing impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an authenticated user with specific permissions to cause a denial of service condition through HTTP response processing.

Impacted Versions: GitLab CE/EE: all versions from 8.3 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program

CVE-2025-6195 - Improper authorization issue in markdown rendering impacts GitLab EE

GitLab has remediated an issue that could have allowed an authenticated user to view information from security reports under certain configuration conditions.

Impacted Versions: GitLab EE: all versions from 13.7 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Thanks mateuszek for reporting this vulnerability through our HackerOne bug bounty program

CVE-2025-13611 - Information disclosure issue in terraform registry impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an authenticated user with access to certain logs to obtain sensitive tokens under specific conditions.

Impacted Versions: GitLab CE/EE: all versions from 13.12 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1
CVSS 2.4 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N)

Bug fixes

18.6.1

• 18-6 stable Bump Container Registry to v4.31.1-gitlab
• Backport of 'Fix custom role approvers lookup for inherited users'
• [18.6] Fix /admin/sidekiq not loading CSS assets in Cloud Native GitLab
• Backport of 'Rollout search_glql_use_routing flag'
• Backport of 'Fix BackfillTimelogsNamespace finalization order'
• Backport 'Move OAuth suite to test-on-cng'
• Backport 'Fix commitsCount variable name'
• Backport 18-6 E2E test: quarantine long fast quarantined e2e tests
• Updating subscription tier for Security Analyst feature, bc it was incorrect
• Backport 'Fix merge request widget polling race condition'
• Sidekiq role: Enable rails recipies by default [18.6 Backport]
• [18.6] Add nginx['default_server_enabled'] configuration parameter
• Backport: EL10 requires SELinux and perl packages

18.5.3

• Backport Zoekt rollout is not working properly if there is a single zoekt node available
• Backport of 'Move support for license name to EE'
• Fix missing gitaly_context forward in BranchPushService
• Backport of 'Split refresh worker into new workers'
• Backport of Add FF to eagerly resume jobs
• Backport of 'Ensure project authorizations are updated on imported inheriting project memberships'
• E2E test: quarantine long time fast quarantined specs 18-5
• Backport of: Fix tags api first page pagination with search
• [Backport] Relax blobs complexity in favor of limiting data
• Backport of 'Fix: prevent duplicate '?' in Download directory URL (use '&' for extra params)'
• Backport of 'Update duo workflow service gem to 0.5'
• Backport of 'Fix custom role approvers lookup for inherited users'
• [18.5] Fix /admin/sidekiq not loading CSS assets in Cloud Native GitLab
• Backport of 'Support nested variables expention in rules:if' into 'master'
• Backport 18-5 E2E test: quarantine long fast quarantined e2e tests
• Backport 'Fix merge request widget polling race condition'
• Sidekiq role: Enable rails recipies by default [18.5 Backport]
• [18.5] Add nginx['default_server_enabled'] configuration parameter
• Backport 'fix-registry-commands-permission-for-non-docker' into '18-5-stable'

18.4.5

• Backport Zoekt rollout is not working properly if there is a single zoekt node available
• Backport of 'Move support for license name to EE'
• E2E test: quarantine long time fast quarantined specs 18-4
• Test: quarantine wiki specs 18-4
• Backport of: Fix tags api first page pagination with search
• [Backport] Relax blobs complexity in favor of limiting data
• [18.4] Fix /admin/sidekiq not loading CSS assets in Cloud Native GitLab
• Backport 18-4 E2E test: quarantine long fast quarantined e2e tests
• Bump eventmachine-tail gem to version 0.6.6
• Sidekiq role: Enable rails recipies by default [18.4 Backport]
• Backport 'fix-registry-commands-permission-for-non-docker' into '18-4-stable'

Important notes on upgrading

This patch includes database migrations that may impact your upgrade process.

Impact on your installation:

• Single-node instances: This patch will cause downtime during the upgrade as migrations must complete before GitLab can start.
• Multi-node instances: With proper zero-downtime upgrade procedures, this patch can be applied without downtime.

Post-deploy migrations

The following versions include post-deploy migrations that can run after the upgrade:

• 18.6.1

To learn more about the impact of upgrades on your installation, see:

• Zero-downtime upgrades for multi-node deployments
• Standard upgrades for single-node installations

Updating

To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page.

Receive Patch Notifications

To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.