Today, we are releasing versions 18.9.1, 18.8.5, 18.7.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
Recommended Action
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.
Security fixes
Table of security fixes
CVE-2026-0752 - Cross-site Scripting issue in Mermaid sandbox impacts GitLab CE/EE
GitLab has remediated an issue that under certain circumstances, could have allowed an unauthenticated user to inject arbitrary scripts into the Mermaid sandbox UI.
Impacted Versions: GitLab CE/EE: all versions from 16.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1
CVSS 8.0 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N)
Thanks aphantom for reporting this vulnerability through our HackerOne bug bounty program
CVE-2025-14511 - Denial of Service issue in container registry impacts GitLab CE/EE
GitLab has remediated an issue that could have allowed an unauthenticated user to cause denial of service by sending specially crafted files to the container registry event endpoint under certain conditions.
Impacted Versions: GitLab CE/EE: all versions from 12.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program
CVE-2026-1662 - Denial of Service issue in Jira events endpoint impacts GitLab CE/EE
GitLab has remediated an issue that could have allowed an unauthenticated user to cause Denial of Service by sending specially crafted requests to the Jira events endpoint.
Impacted Versions: GitLab CE/EE: all versions from 14.4 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program
CVE-2026-1388 - Regular Expression Denial of Service issue in GitLab merge requests impacts GitLab CE/EE
GitLab has remediated an issue that could have allowed an unauthenticated user to cause regular expression denial of service by sending specially crafted input to a merge request endpoint under certain conditions.
Impacted Versions: GitLab CE/EE: all versions from 9.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Thanks sim4n6 for reporting this vulnerability through our HackerOne bug bounty program
CVE-2026-2845 - Missing rate limit in Bitbucket Server importer impacts GitLab CE/EE
GitLab has remediated an issue that could have allowed an authenticated user to cause denial of service by exploiting a Bitbucket Server import endpoint via repeatedly sending large responses.
Impacted Versions: GitLab CE/EE: all versions from 11.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
This vulnerability has been discovered internally by GitLab team member Sam Word
CVE-2025-3525 - Denial of Service issue in CI trigger API impacts GitLab CE/EE
GitLab has remediated an issue that could have, under certain circumstances, allowed an authenticated user with certain access to cause denial of service by creating specially crafted CI triggers via the API.
Impacted Versions: GitLab CE/EE: all versions from 9.0 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program
CVE-2026-1725 - Denial of Service issue in token decoder impacts GitLab CE/EE
GitLab has remediated an issue that could have under certain conditions, allowed an unauthenticated user to cause denial of service by sending specially crafted requests to a CI jobs API endpoint.
Impacted Versions: GitLab CE/EE: versions from 18.9 before 18.9.1
CVSS 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Thanks vinax for reporting this vulnerability through our HackerOne bug bounty program
CVE-2026-1747 - Improper Access Control issue in Conan package registry impacts GitLab EE
GitLab has remediated an issue that, under certain conditions, could have allowed Developer-role users with insufficient privileges to make unauthorized modifications to protected Conan packages.
Impacted Versions: GitLab EE: all versions from 17.11 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
Thanks modhanami for reporting this vulnerability through our HackerOne bug bounty program
CVE-2025-14103 - Access Control issue in CI job mutation impacts GitLab CE/EE
GitLab has remediated an issue that could have allowed an unauthorized user with Developer-role permissions to set pipeline variables for manually triggered jobs under certain conditions.
Impacted Versions: GitLab CE/EE: all versions from 17.7 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
Thanks go7f0 for reporting this vulnerability through our HackerOne bug bounty program
Bug fixes
18.9.1
- Backport of fix semantic code search for Premium plans
- Backport of "Implement usage of namespace AI data collection setting"
- Backport of AI data collection docs
- Backport of "Add exclude_types to the get_agent_flows query"
- Backport of "Bypass group membership lock for service accounts"
- Backport 18.9 - CI - Token used for release environments
- [Backport] Zoekt Fix the bug of includeForked
- Backport of Fix adding flows when member invites are disabled
- Backport of Fix workspace PAT creation with short PAT lifetime
- Backport of Remove API dependency on composite identity onboarding
18.8.5
- Disable gitlab credits dashboard page for SM trial
- Backport: Workhorse: Ignore misconfigured redis for DWS locking
- Backport of skip rebase check for detailed merge status
- Backport of 'Time to first byte degradation on list merge requests API'
- Backport of Update gitlab-cloud-connector gem to 1.44
- Backport - Remove orphaned zoektCrossNamespaceSearch feature flag reference
- Move bot avatar assets to app/assets for proper asset pipeline inclusion
- Backport of 'Geo Primary Verification: Check actual verification state when checksumming'
- Backport of Fix introspection query
- Backport PG::UntranslatableCharacter fixes for MoveCiBuildsMetadata background migration
- Backport optimizing of the MergeRequestResetApprovals Worker
- Backport of 'Remove unused retag-gdk-image CI job'
- Backport of "Docs: Added support for Credits and DAP from 18.8 and later"
- Backport of 'Enable the disable_all_mentions FF by default '
- Backport of Validate milestone title for group import
- Backport of workhorse: Return 400 from /cable without valid websocket upgrade
- Skip Feature.enabled? override in test environment - 18.8
- [Backport] Zoekt Fix the bug of includeForked
- Backport of "Bypass group membership lock for service accounts"
- Backport of Fix adding flows when member invites are disabled
- Backport of Reset group_push_rules primary key sequence
- Backport of Fix workspace PAT creation with short PAT lifetime
- Backport Use new auth in advanced wiki search
18.7.5
- Backport of 'Fix Zoekt indexing by cleaning up replicas without indices'
- Backport of 'Time to first byte degradation on list merge requests API'
- Backport of Validate milestone title for group import
- Backport of 'Remove unused retag-gdk-image CI job'
- Backport of workhorse: Return 400 from /cable without valid websocket upgrade
- Backport of Reset group_push_rules primary key sequence
- Backport Use new auth in advanced wiki search
Important notes on upgrading
The SLES 12.5 package is not available for GitLab 18.9.1.
This patch includes database migrations that may impact your upgrade process.
Impact on your installation:
- Single-node instances: This patch will cause downtime during the upgrade as migrations must complete before GitLab can start.
- Multi-node instances: With proper zero-downtime upgrade procedures, this patch can be applied without downtime.
Post-deploy migrations
The following versions include post-deploy migrations that can run after the upgrade:
- 18.8.5
To learn more about the impact of upgrades on your installation, see:
- Zero-downtime upgrades for multi-node deployments
- Standard upgrades for single-node installations
Updating
To update GitLab, see the Update page. To update GitLab Runner, see the Updating the Runner page.
Receive Patch Notifications
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
We want to hear from you
Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum.
Share your feedback