GitLab has released emergency security patches addressing 11 vulnerabilities across its Community Edition (CE) and Enterprise Edition (EE), including three high-severity flaws that could allow attackers to execute malicious code , forge requests, and steal user session tokens.

On April 22, 2026, GitLab released versions 18.11.1, 18.10.4, and 18.9.6 for both CE and EE deployments.

GitLab.com has already been updated automatically, and GitLab Dedicated customers require no action. However, all self-managed GitLab installations are strongly urged to upgrade immediately.

Three critical-risk flaws demand immediate attention:

Four medium-severity Denial-of-Service (DoS) flaws were also patched. CVE-2025-0186, CVE-2025-6016, and CVE-2025-3922 all carry a CVSS score of 6.5 and could be exploited by authenticated users to exhaust server resources through crafted requests to the discussions endpoint, notes endpoint, and GraphQL API respectively.

CVE-2026-1660 similarly allows authenticated users to trigger DoS during Jira issue imports via improper input validation.

Beyond DoS, GitLab patched a medium-severity Insufficient Session Expiration bug (CVE-2026-6515, CVSS 5.4) where invalidated or incorrectly scoped credentials could still be used to access Virtual Registries, discovered internally by GitLab team member David Fernandez.

Two additional access control flaws (CVE-2026-5377 and CVE-2025-9957) allowed authenticated users to view confidential issue titles and bypass group fork-prevention policies respectively.

GitLab strongly recommends that all self-managed administrators upgrade to one of the patched versions, 18.11.1, 18.10.4, or 18.9.6, without delay.

Most vulnerabilities were responsibly disclosed via GitLab’s HackerOne bug bounty program by researchers including ahacker1, joaxcar, and pwnie. Security advisories for each flaw will be made public on GitLab’s issue tracker 30 days after the patch release date.

Follow us on Google News , LinkedIn , and X to Get Instant Updates and Set GBH as a Preferred Source in Google .

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

The Harvester APT group has quietly expanded its espionage arsenal with a new Linux variant…

Malicious npm package js-logger-pack is now abusing Hugging Face not just as a malware CDN, but also…

A newly discovered Linux variant of the GoGra backdoor is being used by the Harvester…

A critical Server-Side Request Forgery (SSRF) vulnerability in LMDeploy's vision-language module was exploited in active…

North Korean threat actors are once again leveraging deceptive remote work schemes to infiltrate global…

North Korea-linked hackers are using AI-assisted malware and backdoored coding challenges to quietly loot millions…