GitLab Security Patches: CSRF, Path Traversal, XSS, DoS (CVE-2026-4922/5816/5262)

GitLab Security Patch Release Summary (18.11.1, 18.10.4, 18.9.6) Vulnerability Overview GitLab has released security patches for versions 18.11.1, 18.10.4, and 18.9.6, addressing multiple critical security vulnerabilities, including Cross-Site Request Forgery (CSRF), path equivalence resolution errors, Cross-Site Scripting (XSS), Denial of Service (DoS), and improper access control issues. Impact Scope Affected Versions: GitLab CE/EE version 18.11 (prior to 18.11.1) GitLab CE/EE version 18.10 (prior to 18.10.4) GitLab CE/EE version 18.9 (prior to 18.9.6) Affected Components: GraphQL API, Web IDE, Storybook, discussion endpoints, Jira import, Notes endpoints, virtual registry, issue description renderer, Mermaid sandbox, project fork relationship API. Remediation Measures Upgrade Recommendation: All GitLab installations are strongly advised to upgrade immediately to the patched versions listed above. GitLab Dedicated: No action is required from customers; GitLab has automatically applied the patch versions. Specific Fixes: Fixed unauthorized users executing GraphQL operations in the GraphQL API (CSRF). Fixed unauthorized users executing arbitrary JavaScript in the Web IDE (path validation). Fixed unauthorized users accessing tokens in Storybook (input validation). Fixed potential denial of service issues in discussion endpoints, Jira import, Notes endpoints, and GraphQL API (resource exhaustion / input validation). Fixed invalid or incorrectly scoped credential access in the virtual registry. Fixed access to confidential or private issue titles in the issue description renderer (access control). Fixed loading of unauthorized content in the Mermaid sandbox (input validation). Fixed bypass of group fork prevention settings in the project fork relationship API (authorization check). Detailed Vulnerability List CVE-2026-4922 - Cross-Site Request Forgery issue in GraphQL API CVSS: 3.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H) Fix: Fixed insufficient CSRF protection. CVE-2026-5816 - Path equivalence resolution error in Web IDE assets CVSS: 8.0 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) Fix: Fixed improper path validation. CVE-2026-5262 - Cross-Site Scripting issue in Storybook CVSS: 8.0 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) Fix: Fixed improper input validation. CVE-2025-0186 - Denial of Service issue in discussion endpoints CVSS: 6.5 (AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H) Fix: Fixed server resource exhaustion via crafted requests. CVE-2026-1660 - Denial of Service issue in Jira import CVSS: 6.5 (AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H) Fix: Fixed improper input validation during issue import. CVE-2025-6016 - Denial of Service issue in Notes endpoints CVSS: 6.5 (AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H) Fix: Fixed insufficient resource allocation limits when retrieving Notes. CVE-2025-3922 - Denial of Service issue in GraphQL API CVSS: 6.5 (AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H) Fix: Fixed system resource exhaustion. CVE-2026-6515 - Session expiration issue in virtual registry credential validation CVSS: 5.4 (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N) Fix: Fixed access to virtual registry with invalid or incorrectly scoped credentials. CVE-2026-5377 - Improper access control issue in issue description renderer CVSS: 4.3 (AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N) Fix: Fixed improper access control during issue description rendering. CVE-2026-3254 - Improper rendering UI layer or framework restrictions in Mermaid sandbox CVSS: 3.5 (AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N) Fix: Fixed improper input validation in the Mermaid sandbox. CVE-2025-9957 - Improper access control issue in project fork relationship API CVSS: 2.7 (AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N) Fix: Fixed improper authorization checks.

Goal Reached Thanks to every supporter — we hit 100%!

GitLab Security Patches: CSRF, Path Traversal, XSS, DoS (CVE-2026-4922/5816/5262)