GitLab has issued critical security updates for versions 18.10.3, 18.9.5, and 18.8.9 to fix high-severity vulnerabilities including remote code execution and denial-of-service flaws. Administrators are urged to upgrade self-managed Community and Enterprise Edition instances immediately to prevent unauthorized server access and system crashes.
GitLab has officially released a series of emergency security patches for its Community and Enterprise Editions to mitigate several dangerous vulnerabilities. These updates, covering versions 18.10.3, 18.9.5, and 18.8.9, primarily target flaws that could allow attackers to crash servers or execute unauthorized commands. Because these issues impact self-managed instances, the company is urging all system administrators to prioritize these installations to maintain the integrity of their development environments.
Among the most pressing fixes is a high-severity bug involving WebSocket connections that could allow authenticated users to execute server-side commands. Other critical patches address two distinct denial-of-service vulnerabilities where unauthenticated attackers could overwhelm systems using malformed JSON data or repeated GraphQL queries. These flaws represent a significant risk because they can be exploited without valid login credentials, potentially taking entire development pipelines offline with minimal effort from an external threat actor.
The security release also moves to resolve a variety of medium-severity concerns that impact user privacy and background processing. Some of these vulnerabilities involve malicious code injection into code quality reports or analytics dashboards, which could lead to the leaking of user IP addresses or the execution of harmful JavaScript in a victim’s browser. Additionally, weak validation processes in CSV imports and GraphQL queries were found to be capable of crashing background workers or the entire GitLab instance if exploited by a malicious user.
Several lower-severity patches were also bundled into this update to address persistent issues with data leaks and broken access controls. These fixes prevent unauthorized users from viewing private email addresses, modifying vulnerability flags, or accessing confidential issue data they should not be able to see. The patches also close a loophole where users with custom roles could improperly demote or remove members with higher privileges within a group, ensuring that the internal hierarchy of a project remains secure.
To ensure comprehensive protection against these diverse threats, GitLab maintains that the only effective solution is a direct upgrade to the latest patched versions. Organizations running older iterations of the software remain exposed to both the high-impact exploits and the smaller authorization bugs described in the security advisory. By applying these updates immediately, administrators can safeguard their source code, protect user data, and ensure the continued availability of their GitLab services.
Source: https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/