GitLab Patch Release: 18.8.4, 18.7.4, 18.6.6

Today, we are releasing versions 18.8.4, 18.7.4, 18.6.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.

GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.

For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.

We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.

Recommended Action

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.

Security fixes

Table of security fixes

Title	Severity
Incomplete Validation issue in Web IDE impacts GitLab CE/EE	High
Denial of Service issue in GraphQL introspection impacts GitLab CE/EE	High
Denial of Service issue in JSON validation middleware impacts GitLab CE/EE	High
Cross-site Scripting issue in Code Flow impacts GitLab CE/EE	High
HTML Injection issue in test case titles impacts GitLab CE/EE	High
Denial of Service issue in Markdown processor impacts GitLab CE/EE	Medium
Denial of Service issue in Markdown Preview impacts GitLab CE/EE	Medium
Denial of Service issue in dashboard impacts GitLab EE	Medium
Server-Side Request Forgery issue in Virtual Registry impacts GitLab EE	Medium
Improper Validation issue in diff parser impacts GitLab CE/EE	Medium
Server-Side Request Forgery issue in Git repository import impacts GitLab CE/EE	Medium
Authorization Bypass issue in iterations API impacts GitLab EE	Medium
Missing Authorization issue in GLQL API impacts GitLab CE/EE	Low
Stored HTML Injection issue in project label impacts GitLab CE/EE	Low
Authorization Bypass issue in Pipeline Schedules API impacts GitLab CE/EE	Low

CVE-2025-7659 - Incomplete Validation issue in Web IDE impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an unauthenticated user to steal tokens and access private repositories by abusing incomplete validation in the Web IDE.

Impacted Versions: GitLab CE/EE: all versions from 18.2 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4
CVSS 8.0 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N)

Thanks cav0ur for reporting this vulnerability through our HackerOne bug bounty program

CVE-2025-8099 - Denial of Service issue in GraphQL introspection impacts GitLab CE/EE

GitLab has remediated an issue that, under certain conditions, could have allowed an unauthenticated user to cause denial of service by sending repeated GraphQL queries.

Impacted Versions: GitLab CE/EE: all versions from 10.8 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Thanks foxribeye for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-0958 - Denial of Service issue in JSON validation middleware impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an unauthenticated user to cause denial of service through memory or CPU exhaustion by bypassing JSON validation middleware limits.

Impacted Versions: GitLab CE/EE: all versions from 18.4 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Thanks elbo7 for reporting this vulnerability through our HackerOne bug bounty program

CVE-2025-14560 - Cross-site Scripting issue in Code Flow impacts GitLab CE/EE

GitLab has remediated an issue that, under certain conditions could have allowed an authenticated user to perform unauthorized actions on behalf of another user by injecting content into vulnerability code flow.

Impacted Versions: GitLab CE/EE: all versions from 17.1 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4
CVSS 7.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N)

Thanks joaxcar and yvvdwf for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-0595 - HTML Injection issue in test case titles impacts GitLab CE/EE

GitLab has remediated an issue that, under certain conditions, could have allowed an authenticated user to add unauthorized email addresses to user accounts through HTML injection in test case titles.

Impacted Versions: GitLab CE/EE: all versions from 13.9 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4
CVSS 7.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N)

Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-1458 - Denial of Service issue in Markdown processor impacts GitLab CE/EE

GitLab has remediated an issue that, under certain conditions, could have allowed an unauthenticated user to cause denial of service by uploading specifically crafted files.

Impacted Versions: GitLab CE/EE: all versions from 8.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Thanks maksyche for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-1456 - Denial of Service issue in Markdown Preview impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an unauthenticated user to cause denial of service through CPU exhaustion by submitting specially crafted markdown files that trigger exponential processing in markdown preview.

Impacted Versions: GitLab CE/EE: all versions from 18.7 before 18.7.4, and 18.8 before 18.8.4
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Thanks maksyche for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-1387 - Denial of Service issue in dashboard impacts GitLab EE

GitLab has remediated an issue that could have allowed an authenticated user to cause denial of service by uploading a specially crafted file to the dashboard and repeatedly sending GraphQL queries to parse it.

Impacted Versions: GitLab EE: all versions from 15.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program

CVE-2025-12575 - Server-Side Request Forgery issue in Virtual Registry impacts GitLab EE

GitLab has remediated an issue that, under certain conditions, could have allowed an authenticated user with certain permissions to perform server-side request forgery against internal network services.

Impacted Versions: GitLab EE: all versions from 18.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4
CVSS 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)

Thanks go7f0qho for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-1094 - Improper Validation issue in diff parser impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an authenticated developer to hide specially crafted file changes from the WebUI.

Impacted Versions: GitLab CE/EE: all versions from 18.8 before 18.8.4
CVSS 4.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)

Thanks u3mur4 for reporting this vulnerability through our HackerOne bug bounty program

CVE-2025-12073 - Server-Side Request Forgery issue in Git repository import impacts GitLab CE/EE

GitLab has remediated an issue that, under certain conditions, could have allowed an authenticated user to perform server-side request forgery against internal services by bypassing protections in the Git repository import functionality.

Impacted Versions: GitLab CE/EE: all versions from 18.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

Thanks yunus0x for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-1080 - Authorization Bypass issue in iterations API impacts GitLab EE

GitLab has remediated an issue that, under certain conditions, could have allowed an authenticated user to access iteration data from private descendant groups by querying the iterations API endpoint.

Impacted Versions: GitLab EE: all versions from 16.7 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Thanks go7f0 for reporting this vulnerability through our HackerOne bug bounty program

CVE-2025-14592 - Missing Authorization issue in GLQL API impacts GitLab CE/EE

GitLab has remediated an issue that, under certain conditions, could have allowed an authenticated user to perform unauthorized operations by submitting GraphQL mutations through the GLQL API endpoint.

Impacted Versions: GitLab CE/EE: all versions from 18.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4
CVSS 3.7 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

Thanks go7f0 for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-1282 - Stored HTML Injection issue in project label impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an authenticated user to inject content into project labels titles.

Impacted Versions: GitLab CE/EE: all versions from 18.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4
CVSS 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N)

Thanks rafabd1 for reporting this vulnerability through our HackerOne bug bounty program

CVE-2025-14594 - Authorization Bypass issue in Pipeline Schedules API impacts GitLab CE/EE

GitLab has remediated an issue that, under certain conditions, could have allowed an authenticated user to view certain pipeline values by querying the API.

Impacted Versions: GitLab CE/EE: all versions from 17.11 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4
CVSS 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)

Thanks sndd for reporting this vulnerability through our HackerOne bug bounty program

Bug fixes

18.8.4

• Backport dependency update golang/go to v1.24.12
• Backport of Fix project state getting out of sync when deletion fails
• Backport of 'Add migrations for missing merge_requests stage 2 indexes for bigint'
• Backport-Group/Global search should not show code tab if no zoekt nodes are available & advanced search is off
• [Backport 18.8] Exclude Git LFS paths from Git HTTP throttling
• Backport of Add REST endpoint for seeding external agents
• Backport of Update seeded third party flows descriptions
• Backport of Add seed external agents button to Admin > GitLab Duo
• Backport of 'Fix Duo Enterprise add-on check to use seat assignment instead of namespace membership'
• Backport of 'Add paidTierTrial to subscriptionUsage GraphQL API'
• [Backport] Add preflight checks to resume_indexing rake task
• Backport: DAP onboarding UX
• Backport of 'Add usage billing paid tier trial card'
• Backports 'Fixes duo chat visible if user does not have permission'
• Backport of 'Fix Zoekt indexing by cleaning up replicas without indices'
• Flip dap_onboarding_empty_states back off
• Disable credits page for SM in trial
• Backport of 'Update dependency gitlab-cloud-connector to 1.43.0'
• Backport Go 1.24.12 to 18-8-Stable
• [18.8] Backport Mattermost Security Updates January 15, 2026

18.7.4

• Backport of 'Fix: DAP enablement setting availability'
• 18.7 Backport of 'Fix PipelineSecurityReportFindings query timeout'
• [Backport] Add preflight checks to resume_indexing rake task
• [18.7] Backport Mattermost Security Updates January 15, 2026

18.6.6

• 18.6 Backport of 'Fix PipelineSecurityReportFindings query timeout'
• [Backport] Add preflight checks to resume_indexing rake task
• [18.6] Backport Mattermost Security Updates January 15, 2026

GitLab Ultimate trials updated to include GitLab Duo Agent Platform

GitLab.com Ultimate trials now include evaluation credits for GitLab Duo Agent Platform. On GitLab.com, signing up for an Ultimate trial provides 24 evaluation credits per user for 30 days to exercise agentic AI capabilities such as autonomous task execution and multi‑step workflow orchestration. Self-managed customers should update to GitLab 18.9 upon release to get the best trial experience. GitLab.com free tier namespaces can start an Ultimate trial today.

Start your free trial. Current paid customers can request evaluation credits through their account team and begin technical setup ahead of the 18.9 release contact Sales to learn more.

Important notes on upgrading

This patch includes database migrations that may impact your upgrade process.

Impact on your installation:

• Single-node instances: This patch will cause downtime during the upgrade as migrations must complete before GitLab can start.
• Multi-node instances: With proper zero-downtime upgrade procedures, this patch can be applied without downtime.

Post-deploy migrations

The following versions include post-deploy migrations that can run after the upgrade:

• 18.8.4

To learn more about the impact of upgrades on your installation, see:

• Zero-downtime upgrades for multi-node deployments
• Standard upgrades for single-node installations

Updating

To update GitLab, see the Update page. To update GitLab Runner, see the Updating the Runner page.

Receive Patch Notifications

To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.