Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN296
_____________________________________________________________________

DATE                : 12/03/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running GitLab versions prior to 18.9.2,
                                    18.8.6, 18.7.6. 

=====================================================================
https://about.gitlab.com/releases/2026/03/11/patch-release-gitlab-18-9-2-released/
_____________________________________________________________________

 GitLab Patch Release: 18.9.2, 18.8.6, 18.7.6

Learn more about GitLab Patch Release: 18.9.2, 18.8.6, 18.7.6 for
GitLab Community Edition (CE) and Enterprise Edition (EE).

Today, we are releasing versions 18.9.2, 18.8.6, 18.7.6 for GitLab
Community Edition (CE) and Enterprise Edition (EE).

These versions contain important bug and security fixes, and we
strongly recommend that all self-managed GitLab installations be
upgraded to one of these versions immediately. GitLab.com is
already running the patched version. GitLab Dedicated customers
do not need to take action.

GitLab releases fixes for vulnerabilities in patch releases. There
are two types of patch releases: scheduled releases and ad-hoc
critical patches for high-severity vulnerabilities. Scheduled
releases are released twice a month on the second and fourth
Wednesdays. For more information, please visit our releases
handbook and security FAQ. You can see all of GitLab release blog
posts here.

For security fixes, the issues detailing each vulnerability are
made public on our issue tracker 30 days after the release in
which they were patched.

We are committed to ensuring that all aspects of GitLab that are
exposed to customers or that host customer data are held to the
highest security standards. To maintain good security hygiene,
it is highly recommended that all customers upgrade to the latest
patch release for their supported version. You can read more best
practices in securing your GitLab instance in our blog post.
Recommended Action

We strongly recommend that all installations running a version
affected by the issues described below are upgraded to the latest
version as soon as possible.

When no specific deployment type (omnibus, source code, helm
chart, etc.) of a product is mentioned, it means all types are
affected.


Security fixes


Table of security fixes

Title 	Severity

Cross-site Scripting issue in Markdown placeholder processing
impacts GitLab CE/EE 	High

Denial of Service issue in GraphQL API impacts GitLab CE/EE
High

Denial of Service issue in repository archive endpoint impacts
GitLab CE/EE 	High

Denial of Service issue in protected branches API impacts
GitLab CE/EE 	High

Denial of Service issue in webhook custom headers impacts
GitLab CE/EE 	Medium

Denial of Service issue in webhook endpoint impacts GitLab
CE/EE 	Medium

Improper Neutralization of CRLF Sequences issue impacts GitLab
CE/EE 	Medium

Improper Access Control issue in runners API impacts GitLab
CE/EE 	Medium

Improper Access Control issue in snippet rendering impacts
GitLab CE/EE 	Medium

Information Disclosure issue in inaccessible issues impacts
GitLab CE/EE 	Medium

Missing Authorization issue in Group Import impacts GitLab
CE/EE 	Medium

Incorrect Reference issue in repository download impacts
GitLab CE/EE 	Medium

Information Disclosure issue in confidential issues impacts
GitLab CE/EE 	Medium

Incorrect Authorization issue in Virtual Registry impacts
GitLab EE 	Low

Improper Escaping of Output issue in Datadog integration
impacts GitLab CE/EE 	Low

CVE-2026-1090 - Cross-site Scripting issue in Markdown
placeholder processing impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an
authenticated user, when the markdown_placeholders feature
flag was enabled, to inject JavaScript in a browser due to
improper sanitization of placeholder content in markdown
processing.

Impacted Versions: GitLab CE/EE: all versions from 10.6 before
18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N)

Thanks yvvdwf for reporting this vulnerability through our
HackerOne bug bounty program


CVE-2026-1069 - Denial of Service issue in GraphQL API impacts
GitLab CE/EE

GitLab has remediated an issue that could have allowed an
unauthenticated user to cause a denial of service condition
by sending specially crafted GraphQL requests due to
uncontrolled recursion under certain circumstances.

Impacted Versions: GitLab CE/EE: all versions from 18.9
before 18.9.2
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Thanks a92847865 for reporting this vulnerability through our
HackerOne bug bounty program


CVE-2025-13929 - Denial of Service issue in repository
archive endpoint impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an
unauthenticated user to cause a denial of service condition
by issuing specially crafted requests to repository archive
endpoints under certain conditions.

Impacted Versions: GitLab CE/EE: all versions from 10.0
before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Thanks joaxcar for reporting this vulnerability through
our HackerOne bug bounty program


CVE-2025-14513 - Denial of Service issue in protected
branches API impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an
unauthenticated user to cause a denial of service
condition due to improper input validation when processing
specially crafted JSON payloads in the protected branches
API.

Impacted Versions: GitLab CE/EE: all versions from 16.11
before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Thanks a92847865 for reporting this vulnerability through
our HackerOne bug bounty program


CVE-2025-13690 - Denial of Service issue in webhook custom
headers impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an
authenticated user to cause a denial of service condition
due to improper input validation on webhook custom header
names under certain conditions.

Impacted Versions: GitLab CE/EE: all versions from 16.11
before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Thanks sim4n6 for reporting this vulnerability through our
HackerOne bug bounty program


CVE-2025-12576 - Denial of Service issue in webhook endpoint
impacts GitLab CE/EE

GitLab has remediated an issue that under certain conditions
could have allowed an authenticated user to cause a denial
of service condition due to improper handling of webhook
response data.

Impacted Versions: GitLab CE/EE: all versions from 9.3
before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Thanks sim4n6 for reporting this vulnerability through our
HackerOne bug bounty program


CVE-2026-3848 - Improper Neutralization of CRLF Sequences
issue impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an
authenticated user to make unintended internal requests
through proxy environments under certain conditions due to
improper input validation in import functionality.

Impacted Versions: GitLab CE/EE: all versions from 8.11
before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

Thanks shells3c for reporting this vulnerability.


CVE-2025-12555 - Improper Access Control issue in runners
API impacts GitLab CE/EE

GitLab has remediated an issue that, under certain conditions,
could have allowed an authenticated user to access previous
pipeline job information on projects with repository and
CI/CD disabled due to improper authorization checks.

Impacted Versions: GitLab CE/EE: all versions from 15.1
before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Thanks iamgk808 for reporting this vulnerability through
our HackerOne bug bounty program


CVE-2026-0602 - Improper Access Control issue in snippet
rendering impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an
authenticated user to disclose metadata from private issues,
merge requests, epics, milestones, or commits due to
improper filtering in the snippet rendering process under
certain circumstances.

Impacted Versions: GitLab CE/EE: all versions from 15.6
before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Thanks go7f0 for reporting this vulnerability through our
HackerOne bug bounty program


CVE-2026-1732 - Information Disclosure issue in inaccessible
issues impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an
authenticated user to disclose confidential issue titles due
to improper filtering under certain circumstances.

Impacted Versions: GitLab CE/EE: all versions from 12.6
before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Thanks modhanami for reporting this vulnerability through
our HackerOne bug bounty program


CVE-2026-1663 - Missing Authorization issue in Group Import
impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an
authenticated user with group import permissions to create
labels in private projects due to improper authorization
validation in the group import process under certain
circumstances.

Impacted Versions: GitLab CE/EE: all versions from 14.4
before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

Thanks go7f0 for reporting this vulnerability through our
HackerOne bug bounty program


CVE-2026-1230 - Incorrect Reference issue in repository
download impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an
authenticated user to cause repository downloads to contain
different code than displayed in the web interface due to
incorrect validation of branch references under certain
circumstances.

Impacted Versions: GitLab CE/EE: all versions from 1.0 before
18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 4.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N)

Thanks st4nly0n for reporting this vulnerability through our
HackerOne bug bounty program


CVE-2026-1182 - Information Disclosure issue in confidential
issues impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an
authenticated user to gain unauthorized access to confidential
issue titles created in public projects under certain
circumstances.

Impacted Versions: GitLab CE/EE: all versions from 8.14
before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 4.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Thanks yvvdwf for reporting this vulnerability through our
HackerOne bug bounty program


CVE-2025-12704 - Incorrect Authorization issue in Virtual
Registry impacts GitLab EE

GitLab has remediated an issue that could have allowed an
authenticated user to access Virtual Registry data in groups
where they are not members due to improper authorization
under certain conditions.

Impacted Versions: GitLab EE: all versions from 18.2 before
18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)

Thanks mateuszek for reporting this vulnerability through our
HackerOne bug bounty program


CVE-2025-12697 - Improper Escaping of Output issue in Datadog
integration impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an
authenticated user with maintainer-role permissions to reveal
Datadog API credentials under certain conditions.

Impacted Versions: GitLab CE/EE: all versions from 15.5 before
18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 2.2 (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N)

Thanks shells3c for reporting this vulnerability through our
HackerOne bug bounty program


Bug fixes

18.9.2

    Fix GitLab base caching (Backport 18.9)
    config: Add configuration to control GOMAXPROCS [backport to 18.9]
    Backport of 'Fix test pollution from simulate_saas rake task'
    Backport of 'Add backtrace to placeholder user reassignment failure logs'
    [Backport 18.9] Update bitbucket cloud importer to fetch workspace scoped repositories
    Backport of "Remove old DAP troubleshooting docs"
    Backport BBM - Fix helper with single record
    [18.9] Backport of 'Reduce logs by ConcurrencyLimit::WorkerExecutionTracker'
    Backport of Reduce batch size for text-embedding-005 requests
    [Backport]- Fix transpilers for zoekt filters
    Backport of 'Fix exclude types in session query'
    [Backport]- Skip param validation for MCP requests
    Backport of 591296 Historical Addon Assignments - Ignore Namespace Path For SM
    Backport of 'Handle Jira Server/Data Center Issue pagination' (18.9)
    Backport 'Improve Deployments and Size quota specs for clarity and consistency' to 18-9-stable-ee
    Backport- Code search returns no results at intermediate group level
    Backport of 'Move ConcurrencyLimit::ResumeWorker cron config to CE'
    Backport of 'Extend package migrate task to metadata caches and symbols'
    Backport of 'Stop unblocking policy approvals when security jobs get canceled'
    Backport of Revert "Clean up gpg_commit_delegate_to_signature feature flag"
    Support default AI access rules - Backport of 225728
    Backport of 'Fix maintainers editing when they own a fork'
    [Backport 18.9] Fix gitlab:setup failure on fresh database
    [18-9-stable] Remove release instance deployment trigger from Ubuntu-20.04-staging job
    [18.9] Backport Mattermost Security Updates February 18, 2026
    Backport: Simplify pg-upgrade initdb by removing locale parameters
    [18.9] Patch io-event gem to drop epoll_pwait2 check for RedHat 9


18.8.6

    Backport Go 1.25.7 to 18.8 Stable
    Fix GitLab base caching (Backport 18.8)
    Backport of "fix(bug): Schema check should not fail when ClickHouse DB is uninitialized"
    config: Add configuration to control GOMAXPROCS [backport to 18.8]
    18.8 Backport of 'Fix PipelineSecurityReportFindings query timeout'
    Backport 18.8 - CI - Token used for release environments
    Handle RecordInvalid in SyncProjectPolicyWorker
    [Backport 18.8] Update bitbucket cloud importer to fetch workspace scoped repositories
    [18.8] Backport of 'Reduce logs by ConcurrencyLimit::WorkerExecutionTracker'
    Backport BBM - Fix helper with single record
    Backport of 'Fix Duo sidebar absent for user with Agentic Chat access but without Classic Chat access'
    [Backport]- Fix transpilers for zoekt filters
    Backport of 591296 Historical Addon Assignments - Ignore Namespace Path For SM
    Backport of 'Handle Jira Server/Data Center Issue pagination'
    Backport 'Improve Deployments and Size quota specs for clarity and consistency' to 18-8-stable-ee
    Backport- Code search returns no results at intermediate group level
    Backport of 'Move ConcurrencyLimit::ResumeWorker cron config to CE'
    Support default AI access rules - Backport of 225728
    Fix command execution race condition in Agentic Chat
    Backport Go 1.25.7 to GitLab 18.8
    [18-8-stable] Remove release instance deployment trigger from Ubuntu-20.04-staging job
    [18.8] Mattermost Security Updates February 18, 2026
    [18.8] Patch io-event gem to drop epoll_pwait2 check for RedHat 9


18.7.6

    Backport Go 1.25.7 to 18.7 Stable
    Fix GitLab base caching (Backport 18.7)
    Backport 18.7 - CI - Token used for release environments
    Handle RecordInvalid in SyncProjectPolicyWorker
    [Backport 18.7] Update bitbucket cloud importer to fetch workspace scoped repositories
    [18.7] Backport of 'Reduce logs by ConcurrencyLimit::WorkerExecutionTracker'
    [Backport]- Fix transpilers for zoekt filters
    Backport- Code search returns no results at intermediate group level
    Backport of 591296 Historical Addon Assignments - Ignore Namespace Path For SM
    Backport of 'Handle Jira Server/Data Center Issue pagination'
    Backport 'Improve Deployments and Size quota specs for clarity and consistency' to 18-7-stable-ee
    Backport of 'Move ConcurrencyLimit::ResumeWorker cron config to CE'
    [18.7] Fix image resizing assertion logic for RTE
    Backport Go 1.25.7 to GitLab 18.7
    [18-7-stable] Remove release instance deployment trigger from Ubuntu-20.04-staging job
    [18.7] Backport Mattermost Security Updates February 18, 2026
    [18.7] Patch io-event gem to drop epoll_pwait2 check for RedHat 9


Important notes on upgrading

This patch includes database migrations that may impact your
upgrade process.

Impact on your installation:

    Single-node instances: This patch will cause downtime during
the upgrade as migrations must complete before GitLab can start.
    Multi-node instances: With proper zero-downtime upgrade
procedures, this patch can be applied without downtime.


Regular migrations

The following versions include regular migrations that run
during the upgrade process:

    18.9.2
    18.8.6

To learn more about the impact of upgrades on your installation,
see:

    Zero-downtime upgrades for multi-node deployments
    Standard upgrades for single-node installations


Updating

To update GitLab, see the Update page. To update GitLab Runner,
see the Updating the Runner page.


Receive Patch Notifications

To receive patch blog notifications delivered to your inbox,
visit our contact us page. To receive release notifications via
RSS, subscribe to our patch release RSS feed or our RSS feed
for all releases.

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================