Today, we are releasing versions 18.8.2, 18.7.2, 18.6.4 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
Recommended Action
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.
Security fixes
Table of security fixes
CVE-2025-13927 - Denial of Service issue in Jira Connect integration impacts GitLab CE/EE
GitLab has remediated an issue that could have allowed an unauthenticated user to create a denial of service condition by sending crafted requests with malformed authentication data.
Impacted Versions: GitLab CE/EE: all versions from 11.9 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program.
CVE-2025-13928 - Incorrect Authorization issue in Releases API impacts GitLab CE/EE
GitLab has remediated an issue that could have allowed an unauthenticated user to cause a denial of service condition by exploiting incorrect authorization validation in API endpoints.
Impacted Versions: GitLab CE/EE: all versions from 17.7 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program.
CVE-2026-0723 - Unchecked Return Value issue in authentication services impacts GitLab CE/EE
GitLab has remediated an issue that could have allowed an individual with existing knowledge of a victim's credential ID to bypass two-factor authentication by submitting forged device responses.
Impacted Versions: GitLab CE/EE: all versions from 18.6 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2
CVSS 7.4 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
Thanks ahacker1 for reporting this vulnerability through our HackerOne bug bounty program.
CVE-2025-13335 - Infinite Loop issue in Wiki redirects impacts GitLab CE/EE
GitLab has remediated an issue that under certain circumstances could have allowed an authenticated user to create a denial of service condition by configuring malformed Wiki documents that bypass cycle detection.
Impacted Versions: GitLab CE/EE: all versions from 17.1 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Thanks sim4n6 for reporting this vulnerability through our HackerOne bug bounty program.
CVE-2026-1102 - Denial of Service issue in API endpoint impacts GitLab CE/EE
GitLab has remediated an issue that could have allowed an unauthenticated user to create a denial of service condition by sending repeated malformed SSH authentication requests.
Impacted Versions: GitLab CE/EE: all versions from 12.3 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2
CVSS 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
This vulnerability has been discovered internally by GitLab team member Thiago Figueiró.
Bug fixes
18.8.2
- Backport of
Make external agent configurations GA - Backport Remove GitLab Dedicated support for semantic search until it's available
- Backport of '18.8.0: Merge Request reviewer dropdown crashes and does not send request'
- Backport of 'Pass user id to workflow service'
- Backport of rake task to seed AI Catalogs with external agents
- Backport of
Separate policy logic for AI Catalog Flows and Foundational Flows
18.7.2
- Backport of
Fix logic for fetching occurrences related to vulnerabilties - Backport of "Removes feature flag enablement for svc accounts"
- Backport of flaky import spec quarantine
- Backport 18.7 - Fix searchable dropdown race condition when typing fast
- Backport of
Recreate p_sent_notifications.reply_key index - Fix container_repositories index repair to handle 1-to-1 relationship
- [18.7] Fix migration health check endpoint
- Backport of 'Fix soft wrap not working due to accessibilitySupport conflict'
- Backport of 'Fix git push error for remote flows in self-managed instances'
- [Backport 18.7] Exclude Git LFS paths from Git HTTP throttling
- Backport of
Correct Code Review Flow history for beta - Backport of 'Fix Duo Chat button visibility for Amazon Q'
- Backport Allow user namespaces to be indexed in Zoekt for self-managed
- Backport of 'Disable Sidekiq retries for ClickHouse pipeline/build sync workers'
- Backport of 'Disable async_insert in build and pipeline sync operations'
- 18.7 - Remove manual from SLES-12.5-release-pulp job
18.6.4
- Backport of "Removes feature flag enablement for svc accounts"
- Backport of flaky import spec quarantine
- Backport 18.6 - Fix searchable dropdown race condition when typing fast
- Fix container_repositories index repair to handle 1-to-1 relationship
- Backport of 'Fix soft wrap not working due to accessibilitySupport conflict'
- Backport of 'Fix git push error for remote flows in self-managed instances'
- [Backport 18.6] Exclude Git LFS paths from Git HTTP throttling
- Backport-Allow user namespaces to be indexed in Zoekt for self-managed
- Backport of 'Disable Sidekiq retries for ClickHouse pipeline/build sync workers'
- Backport of 'Disable async_insert in build and pipeline sync operations'
- 18.6 - Remove manual from SLES-12.5-release-pulp job
- Start Pulp FIPS jobs after PC FIPS jobs - 18.6
- [CI] Fix the builder image tags for the check-packages jobs 18-6
Important notes on upgrading
This patch includes database migrations that may impact your upgrade process.
Impact on your installation:
- Single-node instances: This patch will cause downtime during the upgrade as migrations must complete before GitLab can start.
- Multi-node instances: With proper zero-downtime upgrade procedures, this patch can be applied without downtime.
Post-deploy migrations
The following versions include post-deploy migrations that can run after the upgrade:
- 18.7.2
To learn more about the impact of upgrades on your installation, see:
- Zero-downtime upgrades for multi-node deployments
- Standard upgrades for single-node installations
Updating
To update GitLab, see the Update page. To update GitLab Runner, see the Updating the Runner page.
Receive Patch Notifications
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
We want to hear from you
Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum.
Share your feedback