Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN557
_____________________________________________________________________

DATE                : 29/05/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running GitLab versions prior to
                             19.0.1, 18.11.4, 18.10.7.

=====================================================================
https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-0-1-released/
_____________________________________________________________________

GitLab Patch Release: 19.0.1, 18.11.4, 18.10.7

On May 27, 2026, we released versions 19.0.1, 18.11.4, 18.10.7 for 
GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain important bug and security fixes, and we
strongly recommend that all self-managed GitLab installations be
upgraded to one of these versions immediately. GitLab.com is
already running the patched version. GitLab Dedicated customers
do not need to take action.

GitLab releases fixes for vulnerabilities in patch releases. There
are two types of patch releases: scheduled releases and ad-hoc
critical patches for high-severity vulnerabilities. Scheduled
releases are released twice a month on the second and fourth
Wednesdays. For more information, please visit our releases
handbook and security FAQ. You can see all of GitLab release
blog posts here.

For security fixes, the issues detailing each vulnerability are
made public on our issue tracker 30 days after the release in
which they were patched.

We are committed to ensuring that all aspects of GitLab that
are exposed to customers or that host customer data are held
to the highest security standards. To maintain good security
hygiene, it is highly recommended that all customers upgrade
to the latest patch release for their supported version. You
can read more best practices in securing your GitLab instance
in our blog post.


Recommended Action

We strongly recommend that all installations running a version
affected by the issues described below are upgraded to the
latest version as soon as possible.

When no specific deployment type (omnibus, source code, helm chart,
etc.) of a product is mentioned, it means all types are affected.

Security fixes

Table of security fixes

Title                    Severity
Improper Access Control issue in Duo AI workflow runners impacts
GitLab EE	High

Denial of Service issue in Wiki impacts GitLab CE/EE	Medium

Incorrect Authorization issue in GraphQL WorkItem API impacts
GitLab CE/EE	Medium

Improper Authorization issue in Duo Workflows API impacts
GitLab EE	Medium

Missing Authorization issue in Operations impacts GitLab EE
Medium

Incorrect Name Resolution issue in Pipelines impacts GitLab CE/EE
Medium

Incorrect Authorization issue in certain authentication endpoints
impacts GitLab CE/EE	Medium

CVE-2026-4868 - Improper Access Control issue in Duo AI workflow
runners impacts GitLab EE

GitLab has remediated an issue that, under certain conditions,
could have allowed an authenticated user to cause specific Duo AI
workflows to run under another user’s identity due to improper
user identity resolution when triggering Duo AI workflow runners.

Impacted Versions: GitLab EE: all versions from 18.8 before
18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1
CVSS 8.2 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N)

Thanks ahacker1 for reporting this vulnerability through our
HackerOne bug bounty program

CVE-2026-1402 - Denial of Service issue in Wiki impacts GitLab CE/EE

GitLab has remediated an issue that under certain conditions
could have allowed an authenticated user to cause denial of
service due to insufficient validation.

Impacted Versions: GitLab CE/EE: all versions from 17.1 before
18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Thanks a92847865 for reporting this vulnerability through our
HackerOne bug bounty program


CVE-2026-6713 - Incorrect Authorization issue in GraphQL WorkItem
API impacts GitLab CE/EE

GitLab has remediated an issue that under certain conditions could
have allowed an unauthorized user to enumerate private projects
due to incorrect authorization checks.

Impacted Versions: GitLab CE/EE: all versions from 18.2 before
18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1
CVSS 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Thanks pollito for reporting this vulnerability through our
HackerOne bug bounty program


CVE-2026-5296 - Improper Authorization issue in Duo Workflows
API impacts GitLab EE

GitLab has remediated an issue that when foundational flows were
enabled at the group level, could have allowed an authenticated
user with developer-role permissions to bypass flow restrictions
under certain conditions.

Impacted Versions: GitLab EE: all versions from 18.7 before
18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

Thanks rogerace for reporting this vulnerability through our
HackerOne bug bounty program

CVE-2026-2601 - Missing Authorization issue in Operations impacts
GitLab EE

GitLab has remediated an issue that under certain conditions
could have allowed an authenticated user with developer-role
permissions to access sensitive deployment data on projects
due to improper authorization checks.

Impacted Versions: GitLab EE: all versions from 11.5 before
18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Thanks modhanami for reporting this vulnerability through our
HackerOne bug bounty program


CVE-2026-8716 - Incorrect Name Resolution issue in Pipelines
impacts GitLab CE/EE

GitLab has remediated an issue that under certain conditions
could have allowed an authenticated user to access CI data from
a different ref type than intended.

Impacted Versions: GitLab CE/EE: all versions from 12.7 before
18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

This vulnerability has been discovered internally by GitLab team
member Hordur Freyr Yngvason


CVE-2026-2710 - Incorrect Authorization issue in certain
authentication endpoints impacts GitLab CE/EE

GitLab has remediated an issue that under certain conditions
could have allowed a blocked Project Access Token to continue
accessing private resources due to incorrect authorization
enforcement.

Impacted Versions: GitLab CE/EE: all versions from 18.9 before
18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Thanks s4dmach1ne for reporting this vulnerability through our
HackerOne bug bounty program


Bug fixes
19.0.1

    Backport ‘Remove Helm based release environment QA’ to 19-0-stable-ee
    Backporting 19.0 final release notes
    Backport of ‘Fix broken trial CTAs on SM GitLab Credits dashboard’ into 19-0-stable-ee
    Backport API Security remediation guidance release note to 19-0-stable-ee
    Backport of ‘Add write option for Repositories in job token fine-grained permissions’ to 19.0

18.11.4

    Backport ‘Add Ruby thread scheduler priority patch’ to 18.11
    Bump GITLAB_ELASTICSEARCH_INDEXER_VERSION to 5.14.7
    Revert “backchannel: remove hashicorp yamux in favor of libp2p yamux”
    [18.11] Backport of Gate commit traversal_ids behind AddTraversalIdsToCommits migration
    Backport “Fix comments lost when moving wiki page”
    Backport of ‘Allow subgroup-provisioned SAs to create subgroups’ to 18.11
    Backport: Update Zlib to 3.2.3
    Backport of ‘Fix SyncPolicyWorker timeout on linked root namespaces’ to 18.11
    Backport of ‘Fixes dropping successful builds’
    Backport of Fixed flaky CI Catalog Resource name filter happy path spec
    Backport of Added waits to traces and cancel pipeline in after block
    Backport of ‘Add ai_workflows scope’
    Backport of Fix swimlane problem
    Backport of Fix flaky new_project_spec CI/CD from repo URL test to 18-11
    Backport of ‘Send allowed endpoints to Workhorse for diagram proxy’
    [18.11] Backport of ‘Use primary DB connection for advanced search bulk indexer’
    Backport of “Performance optimizations for the license approval rules workflow(behind FF)”
    Backport of ‘Bump gitlab-shell version to 14.50.0’
    Backport of ‘Fix off-by-one error in when num_context_lines=0’
    [18.11] Backport of ‘Fix epic boards flaky specs’
    Backport ‘Remove Helm based release environment QA’ to 18-11-stable-ee
    Backport of ‘Fix broken trial CTAs on SM GitLab Credits dashboard’ to 18.11
    Backport of ‘Gate trial CTA’s using redirect based on FF’ into 18.11
    Backport of ‘Fall back to extracting sequence name from column default’ to 18.11
    Backport ‘Update outdated test certificates’ to 18-11-stable
    Backport ‘Bump nginx to version 1.30.1’ to 18-11
    Backport ‘Add Ruby thread scheduler priority patch’ to 18.11
    [18.11] Mattermost Security Updates May 13, 2026
    [18.11] Mattermost Security Updates May 21, 2026
    Update dependency python to v3.14.4 (backport to 18-11-stable)

18.10.7

    Bump GITLAB_ELASTICSEARCH_INDEXER_VERSION to 5.14.7
    [18.10] Backport of Gate commit traversal_ids behind AddTraversalIdsToCommits migration
    18.10 Backport of ‘update zlib to 3.2.3’
    Backport of ‘Allow subgroup-provisioned SAs to create subgroups’ to 18.10
    Backport of ‘Fix SyncPolicyWorker timeout on linked root namespaces’ to 18.10
    Backport of Fixed flaky CI Catalog Resource name filter happy path spec
    Backport of Added waits to traces and cancel pipeline in after block
    Backport of ‘Add ai_workflows scope’
    Backport of Fix swimlane problem
    Backport of Fix flaky new_project_spec CI/CD from repo URL test to 18-10
    Backport of “Performance optimizations for the license approval rules workflow(behind FF)”
    [18.10] Backport of ‘Use primary DB connection for advanced search bulk indexer’
    [18.10] Backport of ‘Fix epic boards flaky specs’
    Backport ‘Remove Helm based release environment QA’ to 18-10-stable-ee
    Backport of ‘Gate trial CTA’s using redirect based on FF’ into 18.10
    Backport of ‘Resolve: NoMethodError: undefined method `base_score’ for an instance of CvssSuite::Cvss40 (NoMethodError)’
    Backport ‘Bump nginx to version 1.30.1’ to 18-10
    [18.10] Mattermost Security Updates May 13, 2026
    Downgrade python (18.10)

Important notes on upgrading

These versions do not include any new migrations, and for multi-node
deployments, should not require any downtime.

Please be aware that by default the Omnibus packages will stop, run
migrations, and start again, no matter how “big” or “small” the upgrade
is. This behavior can be changed by adding a
/etc/gitlab/skip-auto-reconfigure file, which is only used for
updates.


Updating

To update GitLab, see the Update page. To update GitLab Runner, see
the Updating the Runner page.


Receive Patch Notifications

To receive patch blog notifications delivered to your inbox, visit our
contact us page. To receive release notifications via RSS, subscribe
to our patch release RSS feed or our RSS feed for all releases.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================