GitLab Security Bulletin: 18.10.3/18.9.5/18.8.9 Patches (CVE-2026-5173, DoS, XSS, Info Leak)

GitLab Patch Release Security Vulnerability Summary Vulnerability Overview This release (18.10.3, 18.9.5, 18.8.9) includes multiple security fixes, primarily addressing the following vulnerabilities: CVE-2026-5173 (High): Exposed methods in WebSocket connections, allowing authenticated users to call unintended server-side methods via WebSocket connections. CVE-2026-1092 (High): Denial of Service (DoS) vulnerability in the Terraform State Lock API, allowing unauthenticated users to cause a DoS due to improper JSON payload validation. CVE-2025-12664 (High): Denial of Service (DoS) vulnerability in the GraphQL API, allowing unauthenticated users to cause a DoS by sending repeated GraphQL queries. CVE-2026-1403 (Medium): Denial of Service (DoS) vulnerability in CSV imports, allowing authenticated users to cause Sidekiq worker DoS due to improper CSV file structure validation. CVE-2026-1101 (Medium): Denial of Service (DoS) vulnerability in the GraphQL SBOM API, allowing authenticated users to cause instance DoS due to improper input validation within GraphQL queries. CVE-2026-1516 (Medium): Code injection vulnerability in Code Quality reports, allowing authenticated users to leak the IP address of the report viewer via crafted content. CVE-2026-4332 (Medium): Cross-Site Scripting (XSS) vulnerability in the Analytics Dashboard, allowing authenticated users to execute arbitrary JavaScript in other users' browser contexts due to improper input sanitization. CVE-2026-2619 (Medium): Privilege escalation vulnerability in the Vulnerability Flags AI Detection API, allowing users with Auditor permissions to modify vulnerability flag data in private projects under specific circumstances. CVE-2026-9484 (Medium): Information disclosure vulnerability in specific GraphQL queries, allowing authenticated users to access other users' email addresses via specific GraphQL queries. CVE-2026-1752 (Medium): Improper access control vulnerability in the Environments API, allowing authenticated users with Developer permissions to modify protected environment settings. CVE-2026-2104 (Medium): Information disclosure vulnerability in CSV exports, allowing authenticated users to access confidential issues assigned to other users due to insufficient authorization checks. CVE-2026-4916 (Low): Missing authorization vulnerability in Custom Role permissions, allowing authenticated users with Custom Role permissions to downgrade or remove members with higher permissions due to improper authorization checks in member management operations. Affected Versions The affected version range is extensive, primarily involving the following version intervals (prior to patching): GitLab CE/EE: Versions between 11.7 and 18.8.9, 18.9 and 18.9.5, and 18.10 and 18.10.3 (some vulnerabilities affect versions starting from 12.10, 13.0, 16.6, and 16.9.6). GitLab EE: Versions between 11.3, 16.6, 18.0.0, 18.2, 18.6 and 18.8.9, 18.9 and 18.9.5, 18.10 and 18.10.3. Remediation GitLab strongly recommends that all affected installations upgrade to the latest patched versions as soon as possible: GitLab 18.10.x: Upgrade to 18.10.3 GitLab 18.9.x: Upgrade to 18.9.5 GitLab 18.8.x: Upgrade to 18.8.9 POC Code** No specific exploitation code (POC) is provided on the page; only CVSS scores and vulnerability descriptions are available.

Goal Reached Thanks to every supporter — we hit 100%!

GitLab Security Bulletin: 18.10.3/18.9.5/18.8.9 Patches (CVE-2026-5173, DoS, XSS, Info Leak)