Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN153
_____________________________________________________________________

DATE                : 11/02/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running GitLab versions prior to 18.8.4,
                                      18.7.4, 18.6.6.

=====================================================================
https://about.gitlab.com/releases/2026/02/10/patch-release-gitlab-18-8-4-released/
_____________________________________________________________________

 GitLab Patch Release: 18.8.4, 18.7.4, 18.6.6

Learn more about GitLab Patch Release: 18.8.4, 18.7.4, 18.6.6 for 
GitLab Community Edition (CE) and Enterprise Edition (EE).

Today, we are releasing versions 18.8.4, 18.7.4, 18.6.6 for GitLab 
Community Edition (CE) and Enterprise Edition (EE).

These versions contain important bug and security fixes, and we 
strongly recommend that all self-managed GitLab installations be 
upgraded to one of these versions immediately. GitLab.com is already 
running the patched version. GitLab Dedicated customers do not need to 
take action.

GitLab releases fixes for vulnerabilities in patch releases. There are 
two types of patch releases: scheduled releases and ad-hoc critical 
patches for high-severity vulnerabilities. Scheduled releases are 
released twice a month on the second and fourth Wednesdays. For more 
information, please visit our releases handbook and security FAQ. You 
can see all of GitLab release blog posts here.

For security fixes, the issues detailing each vulnerability are made 
public on our issue tracker 30 days after the release in which they 
were patched.

We are committed to ensuring that all aspects of GitLab that are 
exposed to customers or that host customer data are held to the 
highest security standards. To maintain good security hygiene, it is 
highly recommended that all customers upgrade to the latest patch 
release for their supported version. You can read more best practices 
in securing your GitLab instance in our blog post.


Recommended Action

We strongly recommend that all installations running a version 
affected by the issues described below are upgraded to the latest 
version as soon as possible.

When no specific deployment type (omnibus, source code, helm chart, 
etc.) of a product is mentioned, it means all types are affected.


Security fixes

Table of security fixes

Title                              Severity

Incomplete Validation issue in Web IDE impacts GitLab CE/EE 	High

Denial of Service issue in GraphQL introspection impacts GitLab 
CE/EE 	High

Denial of Service issue in JSON validation middleware impacts GitLab 
CE/EE 	High

Cross-site Scripting issue in Code Flow impacts GitLab CE/EE 	High

HTML Injection issue in test case titles impacts GitLab CE/EE 	High

Denial of Service issue in Markdown processor impacts GitLab CE/EE 	
Medium

Denial of Service issue in Markdown Preview impacts GitLab CE/EE 	
Medium

Denial of Service issue in dashboard impacts GitLab EE 	Medium

Server-Side Request Forgery issue in Virtual Registry impacts GitLab 
EE 	Medium

Improper Validation issue in diff parser impacts GitLab CE/EE 	Medium

Server-Side Request Forgery issue in Git repository import impacts 
GitLab CE/EE 	Medium

Authorization Bypass issue in iterations API impacts GitLab EE 	Medium

Stored HTML Injection issue in project label impacts GitLab CE/EE    Low

Authorization Bypass issue in Pipeline Schedules API impacts GitLab 
CE/EE 	Low


CVE-2025-7659 - Incomplete Validation issue in Web IDE impacts GitLab 
CE/EE

GitLab has remediated an issue that could have allowed an 
unauthenticated user to steal tokens and access private repositories 
by abusing incomplete validation in the Web IDE.

Impacted Versions: GitLab CE/EE: all versions from 18.2 before 18.6.6, 
18.7 before 18.7.4, and 18.8 before 18.8.4
CVSS 8.0 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N)

Thanks cav0ur for reporting this vulnerability through our HackerOne 
bug bounty program


CVE-2025-8099 - Denial of Service issue in GraphQL introspection 
impacts GitLab CE/EE

GitLab has remediated an issue that, under certain conditions, could 
have allowed an unauthenticated user to cause denial of service by 
sending repeated GraphQL queries.

Impacted Versions: GitLab CE/EE: all versions from 10.8 before 18.6.6, 
18.7 before 18.7.4, and 18.8 before 18.8.4
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Thanks foxribeye for reporting this vulnerability through our 
HackerOne bug bounty program


CVE-2026-0958 - Denial of Service issue in JSON validation middleware 
impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an 
unauthenticated user to cause denial of service through memory or CPU 
exhaustion by bypassing JSON validation middleware limits.

Impacted Versions: GitLab CE/EE: all versions from 18.4 before 18.6.6, 
18.7 before 18.7.4, and 18.8 before 18.8.4
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Thanks elbo7 for reporting this vulnerability through our HackerOne 
bug bounty program


CVE-2025-14560 - Cross-site Scripting issue in Code Flow impacts 
GitLab CE/EE

GitLab has remediated an issue that, under certain conditions could 
have allowed an authenticated user to perform unauthorized actions on 
behalf of another user by injecting content into vulnerability code 
flow.

Impacted Versions: GitLab CE/EE: all versions from 17.1 before 18.6.6, 
18.7 before 18.7.4, and 18.8 before 18.8.4
CVSS 7.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N)

Thanks joaxcar for reporting this vulnerability through our HackerOne 
bug bounty program


CVE-2026-0595 - HTML Injection issue in test case titles impacts 
GitLab CE/EE

GitLab has remediated an issue that, under certain conditions, could 
have allowed an authenticated user to add unauthorized email addresses 
to user accounts through HTML injection in test case titles.

Impacted Versions: GitLab CE/EE: all versions from 13.9 before 18.6.6, 
18.7 before 18.7.4, and 18.8 before 18.8.4
CVSS 7.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N)

Thanks joaxcar for reporting this vulnerability through our HackerOne 
bug bounty program


CVE-2026-1458 - Denial of Service issue in Markdown processor impacts 
GitLab CE/EE

GitLab has remediated an issue that, under certain conditions, could 
have allowed an unauthenticated user to cause denial of service by 
uploading specifically crafted files.

Impacted Versions: GitLab CE/EE: all versions from 8.0 before 18.6.6, 
18.7 before 18.7.4, and 18.8 before 18.8.4
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Thanks maksyche for reporting this vulnerability through our HackerOne 
bug bounty program


CVE-2026-1456 - Denial of Service issue in Markdown Preview impacts 
GitLab CE/EE

GitLab has remediated an issue that could have allowed an 
unauthenticated user to cause denial of service through CPU exhaustion 
by submitting specially crafted markdown files that trigger 
exponential processing in markdown preview.

Impacted Versions: GitLab CE/EE: all versions from 18.7 before 18.7.4, 
and 18.8 before 18.8.4
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Thanks maksyche for reporting this vulnerability through our HackerOne 
bug bounty program


CVE-2026-1387 - Denial of Service issue in dashboard impacts GitLab EE

GitLab has remediated an issue that could have allowed an 
authenticated user to cause denial of service by uploading a specially 
crafted file to the dashboard and repeatedly sending GraphQL queries 
to parse it.

Impacted Versions: GitLab EE: all versions from 15.6 before 18.6.6, 
18.7 before 18.7.4, and 18.8 before 18.8.4
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Thanks a92847865 for reporting this vulnerability through our 
HackerOne bug bounty program


CVE-2025-12575 - Server-Side Request Forgery issue in Virtual Registry 
impacts GitLab EE

GitLab has remediated an issue that, under certain conditions, could 
have allowed an authenticated user with certain permissions to perform 
server-side request forgery against internal network services.

Impacted Versions: GitLab EE: all versions from 18.0 before 18.6.6, 
18.7 before 18.7.4, and 18.8 before 18.8.4
CVSS 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)

Thanks go7f0qho for reporting this vulnerability through our HackerOne 
bug bounty program


CVE-2026-1094 - Improper Validation issue in diff parser impacts 
GitLab CE/EE

GitLab has remediated an issue that could have allowed an 
authenticated developer to hide specially crafted file changes from 
the WebUI.

Impacted Versions: GitLab CE/EE: all versions from 18.8 before 18.8.4
CVSS 4.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)

Thanks u3mur4 for reporting this vulnerability through our HackerOne 
bug bounty program


CVE-2025-12073 - Server-Side Request Forgery issue in Git repository 
import impacts GitLab CE/EE

GitLab has remediated an issue that, under certain conditions, could 
have allowed an authenticated user to perform server-side request 
forgery against internal services by bypassing protections in the Git 
repository import functionality.

Impacted Versions: GitLab CE/EE: all versions from 18.0 before 18.6.6, 
18.7 before 18.7.4, and 18.8 before 18.8.4
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

Thanks yunus0x for reporting this vulnerability through our HackerOne 
bug bounty program


CVE-2026-1080 - Authorization Bypass issue in iterations API impacts 
GitLab EE

GitLab has remediated an issue that, under certain conditions, could 
have allowed an authenticated user to access iteration data from 
private descendant groups by querying the iterations API endpoint.

Impacted Versions: GitLab EE: all versions from 16.7 before 18.6.6, 
18.7 before 18.7.4, and 18.8 before 18.8.4
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Thanks go7f0 for reporting this vulnerability through our HackerOne 
bug bounty program


CVE-2025-14592 - Missing Authorization issue in GLQL API impacts 
GitLab CE/EE

GitLab has remediated an issue that, under certain conditions, could 
have allowed an authenticated user to perform unauthorized operations 
by submitting GraphQL mutations through the GLQL API endpoint.

Impacted Versions: GitLab CE/EE: all versions from 18.6 before 18.6.6, 
18.7 before 18.7.4, and 18.8 before 18.8.4
CVSS 3.7 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

Thanks go7f0 for reporting this vulnerability through our HackerOne 
bug bounty program


CVE-2026-1282 - Stored HTML Injection issue in project label impacts 
GitLab CE/EE

GitLab has remediated an issue that could have allowed an 
authenticated user to inject content into project labels titles.

Impacted Versions: GitLab CE/EE: all versions from 18.6 before 18.6.6, 
18.7 before 18.7.4, and 18.8 before 18.8.4
CVSS 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N)

Thanks rafabd1 for reporting this vulnerability through our HackerOne 
bug bounty program


CVE-2025-14594 - Authorization Bypass issue in Pipeline Schedules API 
impacts GitLab CE/EE

GitLab has remediated an issue that, under certain conditions, could 
have allowed an authenticated user to view certain pipeline values by 
querying the API.

Impacted Versions: GitLab CE/EE: all versions from 17.11 before 
18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4
CVSS 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)

Thanks sndd for reporting this vulnerability through our HackerOne bug 
bounty program


Bug fixes
18.8.4

    Backport dependency update golang/go to v1.24.12
    Backport of Fix project state getting out of sync when deletion 
fails
    Backport of 'Add migrations for missing merge_requests stage 2 
indexes for bigint'
    Backport-Group/Global search should not show code tab if no zoekt 
nodes are available & advanced search is off
    [Backport 18.8] Exclude Git LFS paths from Git HTTP throttling
    Backport of Add REST endpoint for seeding external agents
    Backport of Update seeded third party flows descriptions
    Backport of Add seed external agents button to Admin > GitLab Duo
    Backport of 'Fix Duo Enterprise add-on check to use seat 
assignment instead of namespace membership'
    Backport of 'Add paidTierTrial to subscriptionUsage GraphQL API'
    [Backport] Add preflight checks to resume_indexing rake task
    Backport: DAP onboarding UX
    Backport of 'Add usage billing paid tier trial card'
    Backports 'Fixes duo chat visible if user does not have permission'
    Backport of 'Fix Zoekt indexing by cleaning up replicas without 
indices'
    Flip dap_onboarding_empty_states back off
    Disable credits page for SM in trial
    Backport of 'Update dependency gitlab-cloud-connector to 1.43.0'
    Backport Go 1.24.12 to 18-8-Stable
    [18.8] Backport Mattermost Security Updates January 15, 2026

18.7.4

    Backport of 'Fix: DAP enablement setting availability'
    18.7 Backport of 'Fix PipelineSecurityReportFindings query timeout'
    [Backport] Add preflight checks to resume_indexing rake task
    [18.7] Backport Mattermost Security Updates January 15, 2026

18.6.6

    18.6 Backport of 'Fix PipelineSecurityReportFindings query timeout'
    [Backport] Add preflight checks to resume_indexing rake task
    [18.6] Backport Mattermost Security Updates January 15, 2026


GitLab Ultimate trials updated to include GitLab Duo Agent Platform

GitLab.com Ultimate trials now include evaluation credits for GitLab 
Duo Agent Platform. On GitLab.com, signing up for an Ultimate trial 
provides 24 evaluation credits per user for 30 days to exercise 
agentic AI capabilities such as autonomous task execution and 
multi‑step workflow orchestration. Self-managed customers should 
update to GitLab 18.9 upon release to get the best trial experience. 
GitLab.com free tier namespaces can start an Ultimate trial today.

Start your free trial. Current paid customers can request evaluation 
credits through their account team and begin technical setup ahead of 
the 18.9 release contact Sales to learn more.
Important notes on upgrading

This patch includes database migrations that may impact your upgrade 
process.


Impact on your installation:

    Single-node instances: This patch will cause downtime during the 
upgrade as migrations must complete before GitLab can start.
    Multi-node instances: With proper zero-downtime upgrade 
procedures, this patch can be applied without downtime.

Post-deploy migrations

The following versions include post-deploy migrations that can run 
after the upgrade:


    18.8.4

To learn more about the impact of upgrades on your installation, see:

    Zero-downtime upgrades for multi-node deployments
    Standard upgrades for single-node installations


Updating

To update GitLab, see the Update page. To update GitLab Runner, see 
the Updating the Runner page.
Receive Patch Notifications

To receive patch blog notifications delivered to your inbox, visit our 
contact us page. To receive release notifications via RSS, subscribe 
to our patch release RSS feed or our RSS feed for all releases.
 

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================