Our news and updates

In GitLab EE versions 16.6 up to before 18.8.9, 18.9 up to before 18.9.5, and 18.10 up to before 18.10.3 a medium severity vulnerability CVE-2025-9484 was detected. This vulnerability allows authenticated users to access other users’ email addresses via certain GraphQL queries due to missing authorization checks. To address this issue, users should upgrade GitLab EE to versions 18.8.9, 18.9.5, or 18.10.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-9484.

In GitLab CE/EE versions 18.2 up to before 18.8.9, 18.9 up to before 18.9.5, and 18.10 up to before 18.10.3 a low severity vulnerability CVE-2026-4916 was detected. This vulnerability allows authenticated users with custom role permissions to demote or remove higher-privileged group members due to improper authorization checks on member management operations. To address this issue, users should upgrade GitLab CE/EE to versions 18.8.9, 18.9.5, or 18.10.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-4916.

p>In GitLab EE versions 18.2 up to before 18.8.9, 18.9 up to before 18.9.5, and 18.10 up to before 18.10.3 a medium severity vulnerability CVE-2026-4332 was detected. This vulnerability allows authenticated users to execute arbitrary JavaScript in other users’ browsers via customizable analytics dashboards due to improper input sanitization. To address this issue, users should upgrade GitLab to versions EE 18.8.9, 18.9.5, or 18.10.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-4332.

In GitLab EE versions 18.6 up to before 18.8.9, 18.9 up to before 18.9.5, and 18.10 up to before 18.10.3 a medium severity vulnerability CVE-2026-2619 was detected. This vulnerability allows authenticated users with auditor privileges to modify vulnerability flag data in private projects due to incorrect authorization under certain conditions. To address this issue, users should upgrade GitLab EE to versions 18.8.9, 18.9.5, or 18.10.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-2619.

In GitLab CE/EE versions 18.2 up to before 18.8.9, 18.9 up to before 18.9.5, and 18.10 up to before 18.10.3 a medium severity vulnerability CVE-2026-2104 was detected. This vulnerability allows authenticated users to access confidential issues assigned to other users via CSV export due to insufficient authorization checks. To address this issue, users should upgrade GitLab CE/EE to versions 18.8.9, 18.9.5, or 18.10.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-2104.

In GitLab EE versions 11.3 up to before 18.8.9, 18.9 up to before 18.9.5, and 18.10 up to before 18.10.3 a medium severity vulnerability CVE-2026-1752 was detected. This vulnerability allows authenticated users with developer-role permissions to modify protected environment settings due to improper authorization checks in the API. To address this issue, users should upgrade GitLab EE to versions 18.8.9, 18.9.5, or 18.10.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1752.

In GitLab CE/EE versions 16.9.6 up to before 18.8.9, 18.9 up to before 18.9.5, and 18.10 up to before 18.10.3 a high severity vulnerability CVE-2026-5173 was detected. This vulnerability allows authenticated users to invoke unintended server-side methods through WebSocket connections due to improper access control. To address this issue, users should upgrade GitLab CE/EE to versions 18.8.9, 18.9.5, or 18.10.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-5173.

In Django versions 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30 a low severity vulnerability CVE-2026-4292 was detected. This vulnerability allows attackers to create new instances via forged POST data by exploiting improper handling in ModelAdmin.list_editable within admin changelist forms. To address this issue, users should upgrade Django to versions 6.0.4, 5.2.13, or 4.2.30. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-4292.

In Django versions 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30 a medium severity vulnerability CVE-2026-4277 was discovered. This issue allows attackers to bypass permission checks when adding inline model instances by submitting forged POST data in GenericInlineModelAdmin. To address this issue, users should upgrade Django to versions 6.0.4, 5.2.13, or 4.2.30. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-4277.