GitLab Security Update – Patch for XSS and API DoS Vulnerabilities

GitLab Security Update Fixes XSS and API DoS Holes GitLab has put out important security updates for its Community Edition (CE) and Enterprise Edition (EE) to fix a lot of different problems. The new versions 18.9.2, 18.8.6, and 18.7.6 fix 15 security problems, including serious Cross-Site Scripting (XSS) and Denial-of-Service (DoS) flaws. Self-managed instance administrators are strongly urged to apply these patches right away to keep their environments safe and secure.

Fixed GitLab security holes The most important problem fixed in this release is CVE-2026-1090, a serious XSS flaw with a CVSS score of 8.7. When the Markdown placeholders feature flag is turned on, this bug happens in GitLab's processing of Markdown placeholders.

An attacker with valid credentials can get around proper sanitization checks and add harmful JavaScript to a victim's browser. This could let them do things they shouldn't be able to do or take over a session. GitLab also fixed three high-severity DoS vulnerabilities that could let attackers who aren't logged in stop important services.

A bug in the GraphQL API lets specially crafted requests cause recursion that can't be stopped and use up all of the resources. Under certain conditions, malicious requests sent to the repository archive endpoints can also start a denial-of-service attack. Also, the protected branches API's lack of proper validation of JSON payloads makes it easy to crash the service. In addition to fixing high-severity bugs, this update also fixes a number of medium- and low-severity bugs.

Notable fixes include addressing DoS risks in webhook custom headers (CVE-2025-13690) and webhook endpoints (CVE-2025-12576).

The patch also fixes access control problems in the runners API (CVE-2025-12555), which could have let people who weren't supposed to see previous pipeline job information. It also stops incorrect CRLF sequences (CVE-2026-3848). We also fixed bugs that let out private information about private matters.

Administrators should keep an eye on the security update because it fixes a number of specific CVEs. Markdown placeholder processing has a high-severity cross-site scripting flaw with a CVSS score of 8.7. There are also three high-severity denial-of-service vulnerabilities, each with a CVSS score of 7.5. CVE-2026-1069 affects the GraphQL API, CVE-2025-13929 affects the repository archive endpoint, and CVE-2025-14513 affects the protected branches API.

The patch also fixes two medium-severity denial-of-service problems, both of which have a CVSS score of 6.5. These problems are with custom headers for webhooks (CVE-2025-13690) and the webhook endpoint (CVE-2025-12576).

Companies need to act right away to make sure that service and data are always available. If you manage your own GitLab CE or EE installation, you need to update it to version 18.9.2, 18.8.6, or 18.7.6. During the upgrade, single-node instances will be down for a short time while the database migrations finish.

On the other hand, multi-node setups can use upgrade procedures that don't cause any downtime. People who use GitLab.com and GitLab Dedicated servers are already using the patched versions, so no action is needed from administrators. GitLab's issue tracker will make detailed vulnerability reports public 30 days after this patch is released. Follow GitLab on Twitter, LinkedIn, and X for daily cybersecurity updates.

Get in touch with us to have your stories featured.