Learn more about GitLab Patch Release: 18.9.1, 18.8.5, 18.7.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).

Today, we are releasing versions 18.9.1, 18.8.5, 18.7.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.

Recommended Action

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.

Security fixes

Table of security fixes

Title Severity Cross-site Scripting issue in Mermaid sandbox impacts GitLab CE/EE High Denial of Service issue in container registry impacts GitLab CE/EE High Denial of Service issue in Jira events endpoint impacts GitLab CE/EE High Regular Expression Denial of Service issue in GitLab merge requests impacts GitLab CE/EE High Missing rate limit in Bitbucket Server importer impacts GitLab CE/EE Medium Denial of Service issue in CI trigger API impacts GitLab CE/EE Medium Denial of Service issue in token decoder impacts GitLab CE/EE Medium Improper Access Control issue in Conan package registry impacts GitLab EE Medium Access Control issue in CI job mutation impacts GitLab CE/EE Medium CVE-2026-0752 - Cross-site Scripting issue in Mermaid sandbox impacts GitLab CE/EE GitLab has remediated an issue that under certain circumstances, could have allowed an unauthenticated user to inject arbitrary scripts into the Mermaid sandbox UI. Impacted Versions: GitLab CE/EE: all versions from 16.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 CVSS 8.0 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N) Thanks aphantom for reporting this vulnerability through our HackerOne bug bounty program CVE-2025-14511 - Denial of Service issue in container registry impacts GitLab CE/EE GitLab has remediated an issue that could have allowed an unauthenticated user to cause denial of service by sending specially crafted files to the container registry event endpoint under certain conditions. Impacted Versions: GitLab CE/EE: all versions from 12.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program CVE-2026-1662 - Denial of Service issue in Jira events endpoint impacts GitLab CE/EE GitLab has remediated an issue that could have allowed an unauthenticated user to cause Denial of Service by sending specially crafted requests to the Jira events endpoint. Impacted Versions: GitLab CE/EE: all versions from 14.4 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program CVE-2026-1388 - Regular Expression Denial of Service issue in GitLab merge requests impacts GitLab CE/EE GitLab has remediated an issue that could have allowed an unauthenticated user to cause regular expression denial of service by sending specially crafted input to a merge request endpoint under certain conditions. Impacted Versions: GitLab CE/EE: all versions from 9.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Thanks sim4n6 for reporting this vulnerability through our HackerOne bug bounty program CVE-2026-2845 - Missing rate limit in Bitbucket Server importer impacts GitLab CE/EE GitLab has remediated an issue that could have allowed an authenticated user to cause denial of service by exploiting a Bitbucket Server import endpoint via repeatedly sending large responses. Impacted Versions: GitLab CE/EE: all versions from 11.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) This vulnerability has been discovered internally by GitLab team member Sam Word CVE-2025-3525 - Denial of Service issue in CI trigger API impacts GitLab CE/EE GitLab has remediated an issue that could have, under certain circumstances, allowed an authenticated user with certain access to cause denial of service by creating specially crafted CI triggers via the API. Impacted Versions: GitLab CE/EE: all versions from 9.0 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program CVE-2026-1725 - Denial of Service issue in token decoder impacts GitLab CE/EE GitLab has remediated an issue that could have under certain conditions, allowed an unauthenticated user to cause denial of service by sending specially crafted requests to a CI jobs API endpoint. Impacted Versions: GitLab CE/EE: versions from 18.9 before 18.9.1 CVSS 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) Thanks vinax for reporting this vulnerability through our HackerOne bug bounty program CVE-2026-1747 - Improper Access Control issue in Conan package registry impacts GitLab EE GitLab has remediated an issue that, under certain conditions, could have allowed Developer-role users with insufficient privileges to make unauthorized modifications to protected Conan packages. Impacted Versions: GitLab EE: all versions from 17.11 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) Thanks modhanami for reporting this vulnerability through our HackerOne bug bounty program CVE-2025-14103 - Access Control issue in CI job mutation impacts GitLab CE/EE GitLab has remediated an issue that could have allowed an unauthorized user with Developer-role permissions to set pipeline variables for manually triggered jobs under certain conditions. Impacted Versions: GitLab CE/EE: all versions from 17.7 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) Thanks go7f0 for reporting this vulnerability through our HackerOne bug bounty program

Bug fixes

18.9.1

• Backport of fix semantic code search for Premium plans
• Backport of "Implement usage of namespace AI data collection setting"
• Backport of AI data collection docs
• Backport of "Add exclude_types to the get_agent_flows query"
• Backport of "Bypass group membership lock for service accounts"
• Backport 18.9 - CI - Token used for release environments
• [Backport] Zoekt Fix the bug of includeForked
• Backport of Fix adding flows when member invites are disabled
• Backport of Fix workspace PAT creation with short PAT lifetime
• Backport of Remove API dependency on composite identity onboarding

18.8.5

• Disable gitlab credits dashboard page for SM trial
• Backport: Workhorse: Ignore misconfigured redis for DWS locking
• Backport of skip rebase check for detailed merge status
• Backport of 'Time to first byte degradation on list merge requests API'
• Backport of Update gitlab-cloud-connector gem to 1.44
• Backport - Remove orphaned zoektCrossNamespaceSearch feature flag reference
• Move bot avatar assets to app/assets for proper asset pipeline inclusion
• Backport of 'Geo Primary Verification: Check actual verification state when checksumming'
• Backport of Fix introspection query
• Backport PG::UntranslatableCharacter fixes for MoveCiBuildsMetadata background migration
• Backport optimizing of the MergeRequestResetApprovals Worker
• Backport of 'Remove unused retag-gdk-image CI job'
• Backport of "Docs: Added support for Credits and DAP from 18.8 and later"
• Backport of 'Enable the disable_all_mentions FF by default '
• Backport of Validate milestone title for group import
• Backport of workhorse: Return 400 from /cable without valid websocket upgrade
• Skip Feature.enabled? override in test environment - 18.8
• [Backport] Zoekt Fix the bug of includeForked
• Backport of "Bypass group membership lock for service accounts"
• Backport of Fix adding flows when member invites are disabled
• Backport of Reset group_push_rules primary key sequence
• Backport of Fix workspace PAT creation with short PAT lifetime
• Backport Use new auth in advanced wiki search

18.7.5

• Backport of 'Fix Zoekt indexing by cleaning up replicas without indices'
• Backport of 'Time to first byte degradation on list merge requests API'
• Backport of Validate milestone title for group import
• Backport of 'Remove unused retag-gdk-image CI job'
• Backport of workhorse: Return 400 from /cable without valid websocket upgrade
• Backport of Reset group_push_rules primary key sequence
• Backport Use new auth in advanced wiki search

Important notes on upgrading

The SLES 12.5 package is not available for GitLab 18.9.1.
This patch includes database migrations that may impact your upgrade process.

Impact on your installation:

• Single-node instances: This patch will cause downtime during the upgrade as migrations must complete before GitLab can start.
• Multi-node instances: With proper zero-downtime upgrade procedures, this patch can be applied without downtime.

Post-deploy migrations

The following versions include post-deploy migrations that can run after the upgrade:

• 18.8.5

To learn more about the impact of upgrades on your installation, see:

• Zero-downtime upgrades for multi-node deployments
• Standard upgrades for single-node installations

Updating

To update GitLab, see the Update page. To update GitLab Runner, see the Updating the Runner page.

Receive Patch Notifications

To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.

GitLab Patch Release: 18.9.1, 18.8.5, 18.7.5 via @gitlab Click to tweet!

Original source Report a problem

GitLab 18.9 release post

This link points to external content

Release notes

Milestone

93% complete

Issues

2615

Open:
190

• Closed:
2425

Assets 5

Source code (zip) Download
Source code (tar.gz) Download
Source code (tar.bz2) Download
Source code (tar) Download

Other

Ultimate

8 new features
717 total badges

• GitLab Duo Agent Platform available in Ultimate trials : Acquisition , Duo Agent Platform
• Dependency Scanning with SBOM support for Java pom.xml manifest files : Software Composition Analysis
• Dependency Scanning with SBOM support for Python requirements.txt manifest files : Software Composition Analysis
• Software supply chain security
• Vulnerability resolution with GitLab Duo Agent Platform (Beta) : Vulnerability Management
• Security risk management
• New security dashboard chart: Vulnerabilities by age : Vulnerability Management
• Centralized security governance and configuration : Vulnerability Management
• Security attributes : Security Asset Inventories
• Security dashboards: Vulnerabilities over time chart improvements : Vulnerability Management

Create

• 11 new features
• 2470 total badges

...

Original source Report a problem

GitLab 18.9 released with self-hosted AI models

Today, we are excited to announce the release of GitLab 18.9 with GitLab Duo Agent Platform self-hosted models now available for cloud licenses, vulnerability resolution with GitLab Duo Agent Platform, navigate repositories with collapsible file tree, include CI/CD inputs from a file, and much more!

New to GitLab Duo? Ultimate with GitLab Duo Agent Platform trials are now available for both GitLab.com and GitLab Self-Managed.

These are just a few highlights from the 25+ improvements in this release. Read on to check out all of the great updates below.

To the wider GitLab community, thank you for the 530+ contributions you provided to GitLab 18.9! At GitLab, everyone can contribute and we couldn't have done it without you!

To preview what's coming in next month’s release, check out our What's new page.

Notable Contributor

This month's Notable Contributor is awarded to Pooja Ghanghas

Pooja has made significant contributions to ongoing efforts at GitLab to migrate legacy dropdown components to our modern dropdown architecture. These migrations require careful attention to detail and an understanding of both the old and new component systems. Pooja has consistently delivered high-quality work across multiple migrations, including updates to the diff file header, code block bubble menu, oncall schedules rotation assignee component, and the new resource dropdown.

Peter Hegman, Staff Frontend Engineer on Tenant Scale::Organizations at GitLab, nominated Pooja for this recognition, noting: “These migrations can be pretty tricky and she has completed a number of them. Thanks for your contributions!”

Beyond these migration efforts, Pooja has also contributed to feature development, including adding statuses to milestones and iterations, a feature she put significant effort into getting merged.

Marc Saleiko, Staff Fullstack Engineer on Plan:Project Management at GitLab, recognised her work: “This is a valuable contribution and you did a great job delivering this functionality!” Reflecting on her experience, Pooja shared: “I’m proud of how it turned out and it was a great learning experience for me.”

She has also contributed numerous bug fixes and maintenance improvements across the GitLab codebase. Pooja’s work directly improves the maintainability and consistency of the GitLab user interface, making it easier for both contributors and team members to build and maintain features, and helping move the GitLab frontend architecture forward.

Thank you, Pooja, for your continued contributions to improving the GitLab codebase and for being such a reliable member of our contributor community!

Want to learn more about Pooja’s contributions? Check out her GitLab profile.

18.9 Key improvements released in GitLab 18.9

GitLab Duo Agent Platform Self-Hosted models now available for cloud licenses

GitLab Duo Agent Platform is now generally available for GitLab Self-Managed customers with a cloud license. Billing for this feature is usage-based.

Administrators can configure compatible models for use with GitLab Duo Agent Platform. Administrators using AWS Bedrock or Azure OpenAI can also configure Anthropic Claude or OpenAI GPT models.

Not yet on Ultimate? Start a free trial with Duo Agent Platform included.

Vulnerability resolution with GitLab Duo Agent Platform (Beta)

Triaging and remediating SAST vulnerabilities is one of the most time-consuming tasks in application security. After identifying a real vulnerability, developers need to understand the finding, locate the affected code, and write an appropriate fix. All of which take time and specialized knowledge. In GitLab 18.9, we’re introducing Agentic SAST Vulnerability Resolution. When you trigger resolution for a SAST vulnerability, GitLab Duo autonomously analyzes the finding, reasons through the surrounding code context, generates a context-aware fix, and creates a merge request without any manual intervention.

Key capabilities include:

• Agentic multi-step resolution: Rather than producing a single code suggestion, the GitLab Duo Agent Platform reasons through the vulnerability, evaluates the codebase, and produces a well-informed fix.
• Automatic merge request creation: Generates a ready-to-review merge request with the proposed code fix for critical and high severity SAST vulnerabilities.
• Quality scoring: Each generated fix includes a quality assessment so reviewers can quickly gauge confidence in the proposed remediation.

SAST vulnerability resolution is available from the vulnerability report and the individual vulnerability details pages. You can trigger a resolution directly from the individual vulnerability details page.

This feature is available as a free beta for Ultimate customers. We welcome your feedback in issue 585626.

Navigate repositories with collapsible file tree

You can now browse repository files with a collapsible file tree. The tree provides a comprehensive view of your project structure, so you can expand and collapse directories inline, jump between files in different parts of your repository, and maintain context while you work.

The file tree appears as a resizable sidebar when you view repository files or directories. You can toggle visibility with keyboard shortcuts, filter files by name or extension, and navigate through complex project hierarchies. The tree synchronizes with your current location, so when you select a file in the main content area, the tree updates to show that file.

Your existing repository structure and file organization remain unchanged. With fewer page loads required to move between files, this feature scales from small projects to large codebases with thousands of files.

Include CI/CD inputs from a file

Previously, pipeline inputs could only be defined directly within a pipeline’s spec section. This limitation made it challenging to reuse input configuration across multiple projects.

In this release you can now include input definitions from external files using the familiar include keyword. Being able to maintain a list of inputs in a separate place helps you have a manageable solution across many projects or pipelines. You can maintain centralized input configurations and even dynamically manage input values from external sources.

Web-based commit signing on GitLab.com

Ensuring commits are cryptographically signed is essential for code integrity and meeting compliance requirements. Previously, web-based commit signing was only available for GitLab Self-Managed.

GitLab.com now supports web-based commit signing. When enabled for a group or project, commits created through the GitLab web interface are automatically signed with the GitLab signing key and are displayed with a Verified badge, providing cryptographic proof of authenticity for your repositories.

Key details:

• Enable in group or project settings based on your requirements.
• All web-based commits (Web IDE edits, merges, API operations) are automatically signed when enabled.

This brings the GitLab.com security capabilities in line with GitLab Self-Managed and provides the foundation for comprehensive commit signing policies across your organization.

Container virtual registry now available (Beta)

Modern container-based development requires accessing images from multiple registries including Docker Hub, Harbor, Quay, and private registries. Without a container virtual registry, platform engineers must configure each project and CI/CD pipeline to authenticate with and pull from multiple registries individually. This creates configuration complexity, slows pulls with sequential registry queries, and makes it difficult to implement consistent security policies across container sources.

The container virtual registry addresses these challenges by aggregating multiple upstream container registries behind a single endpoint. Platform engineers can configure Docker Hub, Harbor, Quay, and other registries with long-lived token authentication through one URL. Intelligent caching improves pull performance while integrating with the GitLab authentication systems for centralized access control and audit logging.

The container virtual registry API is currently available in beta for GitLab Premium and Ultimate customers. Beta participants can use the GitLab API to create container virtual registries, configure multiple upstream sources with shareable configurations, and pull container images through the virtual registry. Please note the beta does not support registries that require IAM authentication. Support for cloud provider registries requiring IAM authentication is tracked in this epic.

On GitLab.com, this feature is behind a feature flag. To request access or share feedback, please comment in the feedback issue.

18.9 Other improvements in GitLab 18.9

Rapid Diffs improves performance for commit changes

Reviewing commits with many changed files or substantial modifications can be slow. Rapid Diffs technology now powers the commits page (/ - /commits/), delivering faster loading times, smoother scrolling, and more responsive interactions.

With Rapid Diffs, you’ll notice:

• A pagination-free experience.
• Faster initial load, so you can start working with code sooner.
• A refreshed interface with a new file browser for quicker navigation between files.
• Responsive interactions, even with large numbers of changed files.

All existing functionality is preserved. As Rapid Diffs expands to other areas of GitLab, the same performance benefits will follow.

Support for Bitbucket Cloud API tokens in import API

The GitLab import API now supports Bitbucket Cloud API tokens, providing a more secure way to import repositories from Bitbucket Cloud.

Atlassian has deprecated app passwords in favor of API tokens, and we’re planning to remove support for app passwords in 19.0.

Importing from Bitbucket Cloud through the GitLab UI is not affected by this change.

CI/CD Catalog component analytics

Previously, teams lacked visibility into how CI/CD Catalog component projects were being used across their organization. Now you can view usage counts and adoption patterns at a high level, helping you understand which component projects are most valuable and optimize your catalog investments.

View security reports from child pipelines in merge requests

You can now view security and compliance reports from child pipelines directly in merge request widgets. Previously, you had to manually navigate through multiple pipelines to identify security issues, creating inefficient workflows especially with monorepos and complex testing setups.

With this enhancement, the merge request widget displays reports from child pipelines directly alongside parent pipeline results, with each child pipeline’s reports presented individually and artifacts available for download. This provides a unified view of all security checks, significantly reducing time spent investigating failures and enables faster merge request reviews when using parent-child pipelines.

Dependency Scanning with SBOM support for Python requirements.txt manifest files

GitLab dependency scanning by using SBOM now supports scanning Python requirements.txt manifest files. Previously, dependency scanning for Python projects required a lock file to be present. Now, when a lock file is not available, the analyzer automatically falls back to scanning requirements.txt files, extracting and reporting only direct dependencies for vulnerability analysis. This improvement makes it easier for Python projects to enable dependency scanning without requiring a lock file.

To enable manifest fallback, set the DS_ENABLE_MANIFEST_FALLBACK CI/CD variable to "true".

Security attributes

Security attributes, introduced as a beta in GitLab 18.6, are now generally available.

Security attributes allow security teams to apply business context to their projects, including business impact, application, business unit, internet exposure, and location. You can also create custom attribute categories to match your organization’s taxonomy. By applying these attributes, you can filter and prioritize the items in your security inventory based on risk posture and organizational context.

GitLab Duo Agent Platform available in Ultimate trials

Teams evaluating GitLab can now test agentic AI capabilities that automate complex development workflows and reduce manual tasks. Sign up for a GitLab Ultimate trial and get access to Duo Agent Platform with 24 evaluation credits per user, enabling hands-on experience with autonomous task execution and multi-step workflow orchestration during a 30-day evaluation. Evaluation credits are available for 30 days from the provision date, so consider your team’s readiness before starting.

Current paid customers can access evaluation credits through their account team.

Archive a group and its content

Managing completed initiatives and abandoned projects is now easier. You can now archive entire groups, including all subgroups and projects, in one action, eliminating the need to manually archive each project individually.

When you archive a group:

• All nested subgroups and projects are automatically archived.
• Archived content moves to the Inactive tab with clear status badges.
• Group data remains fully accessible in read-only mode for reference or restoration.
• Write permissions are disabled across the archived group and its content.

Beyond the Settings page, you can archive groups and projects directly from the actions menu in list views. No more navigating through multiple screens for simple administrative tasks. This highly requested feature dramatically reduces administrative overhead while keeping your workspace organized with clear separation between active and inactive work.

OAuth support in JetBrains IDEs for Self-Managed and Dedicated

The GitLab Duo plugin for JetBrains IDEs now supports OAuth authentication for GitLab Self-Managed and GitLab Dedicated. This means all JetBrains users can now enjoy a faster, more secure sign-in experience. No personal access token required.

Zero Downtime Upgrades now supported for Helm chart deployments

Zero Downtime Upgrades are now officially supported for GitLab Helm chart deployments.

Enterprise customers require their DevSecOps platform to be available at all times, making upgrade-related downtime a significant operational concern. Until now, Zero Downtime Upgrades were only supported for Linux package-based high availability deployments, which drove many customers toward VM-based architectures even when cloud-native Kubernetes deployments would have better suited their infrastructure strategy.

We’ve been upgrading our own Cloud Native Hybrid SaaS instances with zero downtime for years. With this release, we’re bringing that same operational experience to self-managed customers running GitLab on Kubernetes.

The upgrade procedure has been comprehensively tested and is now fully documented, giving you the confidence to maintain availability during version upgrades.

Restrict personal snippets for enterprise users

Organizations using GitLab.com need to ensure that enterprise users don’t accidentally expose sensitive code through personal snippets. Previously, there was no way to prevent users from creating snippets in their personal namespace, which can pose a security risk if snippets are inadvertently set to public.

Group Owners can now restrict personal snippet creation for enterprise users, helping maintain tighter control over where code is shared. When restricted, enterprise users cannot create snippets in their personal namespace.

Add timestamps to CI job logs

You can now view timestamps on each CI job log line to identify performance bottlenecks and debug long-running jobs. Timestamps are displayed in UTC format. Use timestamps to troubleshoot performance issues, identify bottlenecks, and measure the duration of specific build steps. Requires GitLab Runner 18.7 or later for GitLab Self-Managed.

View CI/CD job metrics for projects (limited availability)

GitLab CI/CD analytics now combines CI/CD pipeline and CI/CD job performance trends, which enables developers to identify inefficient or problematic CI/CD jobs quickly. These capabilities are included directly in the GitLab UI, so developers have the tools they need in context to identify and fix CI/CD performance problems that can significantly impact development teams’ velocity and overall productivity. For platform administrators, the CI/CD jobs data in this view also reduces the need to rely on external or custom-built CI/CD observability solutions when you operate GitLab at an enterprise scale.

Dependency Scanning with SBOM support for Java pom.xml manifest files

GitLab dependency scanning by using SBOM now supports scanning Java pom.xml manifest files. Previously, dependency scanning for Java projects using Maven required a graph file to be present. Now, when a graph file is not available, the analyzer automatically falls back to scanning pom.xml files, extracting and reporting only direct dependencies for vulnerability analysis. This improvement makes it easier for Java projects to enable dependency scanning without requiring a graph file.

To enable manifest fallback, set the DS_ENABLE_MANIFEST_FALLBACK CI/CD variable to "true".

Centralized security governance and configuration

Manage and visualize security scanner coverage across your organization. This release introduces security configuration profiles, starting with the secret detection profile. Security teams now have a more powerful command center to secure your organization at scale.

Profile-based security configuration

Instead of manually editing YAML files for each project, you can now use preconfigured security configuration profiles that provide several advantages:

• Standardized governance: Preconfigured profiles apply appropriate boundaries without interrupting productivity. You can apply standardized security best practices, without requiring custom role configurations.
• Scalable management: Apply the same profile across hundreds or thousands of projects with a single action.

The secret detection profile is the first security configuration profile available. It provides the following advantages:

• Actively identifies and blocks secrets from being committed to your repositories.
• One profile manages secret detection across your entire development workflow. No need to manage separate configurations for different trigger types.

Enhanced security inventory

The security inventory has been upgraded to act as your primary dashboard to assess each group’s security posture:

• Group and project hierarchies: Easily distinguish between subgroups and projects in the inventory with clear iconography.
• Bulk actions: A new Bulk Action menu allows you to apply or disable security scanner profiles across all selected projects and subgroups simultaneously.
• Visual coverage status: Quickly identify gaps with color-coded status bars (Enabled, Not Enabled, or Failed) with tooltips for details.
• Profile status indicators: See which trigger types are available in the profile details.

Security dashboards: Vulnerabilities over time chart improvements

The Vulnerabilities over time chart is updated to provide a more accurate view of your vulnerability inventory.

The chart previously included vulnerabilities that were no longer detected, leading to inflated numbers that did not accurately represent the state of active vulnerabilities.

We are aware of two additional issues that may slightly alter counts in some cases. Follow issue 590022 and issue 590018 for updates.

Non-billable Minimal Access users

Previously, organizations that used identity providers to automate user provisioning on GitLab Self-Managed Premium might run into a potential problem. When identity provider syncs attempt to add users beyond the licensed seat limit, administrators must either purchase extra seats for users who don’t need active access, or manually intervene to prevent failures. Now, users with the Minimal Access role on GitLab Self-Managed Premium subscriptions no longer count as billable seats, bringing them in line with how minimal access works on GitLab.com Premium, GitLab.com Ultimate, and GitLab Self-Managed Ultimate. This change unlocks the restricted access feature, which automatically assigns the Minimal Access role to users who would otherwise exceed the seat limit during identity provider syncs. This change keeps syncs running smoothly without unexpected billing overages or manual intervention.

Geo data management view on primary site

You can now troubleshoot and verify data integrity directly from the primary site, thanks to the new data management view that brings detailed verification status information to the primary Geo site. This enhancement eliminates the need to access secondary sites for basic verification and troubleshooting tasks.

Previously, this verification status was only accessible through the secondary site UI. Now, with the data management view on the primary site, you can:

• View detailed verification status for all replicable data types on the primary site
• Perform data sanitization and troubleshooting tasks directly from the primary UI
• Set up and verify your Geo configuration on the primary site before adding secondary sites

This enhancement is the first step toward comprehensive self-serve troubleshooting with the UI, reducing the need to access multiple sites for routine maintenance and issue resolution.

Valkey as replacement option for Redis (Beta)

Starting with GitLab 18.9, Valkey is bundled as an opt-in replacement for Redis in the Linux package. Redis changed their license to AGPLv3, which is not suitable for open source customers. To guarantee security and maintainability for our GitLab Self-Managed customers, we are transitioning from Redis to Valkey, a community-driven fork that maintains the permissive BSD license.

Transition timeline:

• GitLab 18.9 (this release): Valkey is bundled as an opt-in replacement (beta). You can switch from Redis to Valkey at your convenience. Valkey Sentinel support is included.
• GitLab 19.0 (May 2026): Valkey becomes the default and Redis binaries are removed from the Linux package. Existing Redis configuration settings remain functional and are honored for backwards compatibility.

This transition only affects the bundled Redis in Linux packages. Customers on scaled architectures using external Redis deployments can continue to use Redis. We are monitoring the potential feature divergence between Redis and Valkey and will provide guidance as the ecosystem evolves.

Bug fixes, performance improvements, and UI improvements

At GitLab, we’re dedicated to providing the best possible experience for our users. With every release, we work tirelessly to fix bugs, improve performance, and enhance UI. Whether you’re one of the over 1 million users on GitLab.com or using our platform elsewhere, we’re committed to making sure your time with us is smooth and seamless.

Click the links below to see all the bug fixes, performance enhancements, and UI improvements we’ve delivered in 18.9.

Deprecations

New deprecations and the complete list of all features that are currently deprecated can be viewed in the GitLab documentation. To be notified of upcoming breaking changes, subscribe to our Breaking Changes RSS feed.

Removals and breaking changes

The complete list of all removed features can be viewed in the GitLab documentation. To be notified of upcoming breaking changes, subscribe to our Breaking Changes RSS feed.

Important notes on upgrading to GitLab 18.9

GitLab has been upgraded to use Ruby 3.3. This upgrade introduces improvements to the Ruby garbage collector, such as a reduction in heap fragmentation and time spent in major garbage collection.

For self-compiled installations, when upgrading to GitLab 18.9 or later, administrators must have Ruby 3.3.x or later. This change is necessary because Ruby 3.2 reaches its end-of-life on March 31, 2026, and will no longer receive official updates or support.

Please check out the changelog to see all the named changes: GitLab, GitLab Runner, GitLab Workflow for VS Code, GitLab CLI.

If you are setting up a new GitLab installation please see the download GitLab page.

Check out our update page.

We'd love to hear your thoughts! Visit the GitLab Forum and let us know if you have questions about the release.

GitLab Subscription Plans

• Free - Free-forever features for individual users
• Premium - Enhance team productivity and coordination
• Ultimate - Organization wide security, compliance, and planning

Try all GitLab features - free for 30 days.

Original source Report a problem

Learn more about GitLab Patch Release: 18.8.4, 18.7.4, 18.6.6 for GitLab Community Edition (CE) and Enterprise Edition (EE)

Today, we are releasing versions 18.8.4, 18.7.4, 18.6.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.

Recommended Action

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.

Security fixes

Table of security fixes

Title Severity Incomplete Validation issue in Web IDE impacts GitLab CE/EE High Denial of Service issue in GraphQL introspection impacts GitLab CE/EE High Denial of Service issue in JSON validation middleware impacts GitLab CE/EE High Cross-site Scripting issue in Code Flow impacts GitLab CE/EE High HTML Injection issue in test case titles impacts GitLab CE/EE High Denial of Service issue in Markdown processor impacts GitLab CE/EE Medium Denial of Service issue in Markdown Preview impacts GitLab CE/EE Medium Denial of Service issue in dashboard impacts GitLab EE Medium Server-Side Request Forgery issue in Virtual Registry impacts GitLab EE Medium Improper Validation issue in diff parser impacts GitLab CE/EE Medium Server-Side Request Forgery issue in Git repository import impacts GitLab CE/EE Medium Authorization Bypass issue in iterations API impacts GitLab EE Medium Missing Authorization issue in GLQL API impacts GitLab CE/EE Low Stored HTML Injection issue in project label impacts GitLab CE/EE Low Authorization Bypass issue in Pipeline Schedules API impacts GitLab CE/EE Low CVE-2025-7659 - Incomplete Validation issue in Web IDE impacts GitLab CE/EE GitLab has remediated an issue that could have allowed an unauthenticated user to steal tokens and access private repositories by abusing incomplete validation in the Web IDE. Impacted Versions: GitLab CE/EE: all versions from 18.2 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 CVSS 8.0 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N) Thanks cav0ur for reporting this vulnerability through our HackerOne bug bounty program CVE-2025-8099 - Denial of Service issue in GraphQL introspection impacts GitLab CE/EE GitLab has remediated an issue that, under certain conditions, could have allowed an unauthenticated user to cause denial of service by sending repeated GraphQL queries. Impacted Versions: GitLab CE/EE: all versions from 10.8 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Thanks foxribeye for reporting this vulnerability through our HackerOne bug bounty program CVE-2026-0958 - Denial of Service issue in JSON validation middleware impacts GitLab CE/EE GitLab has remediated an issue that could have allowed an unauthenticated user to cause denial of service through memory or CPU exhaustion by bypassing JSON validation middleware limits. Impacted Versions: GitLab CE/EE: all versions from 18.4 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Thanks elbo7 for reporting this vulnerability through our HackerOne bug bounty program CVE-2025-14560 - Cross-site Scripting issue in Code Flow impacts GitLab CE/EE GitLab has remediated an issue that, under certain conditions could have allowed an authenticated user to perform unauthorized actions on behalf of another user by injecting content into vulnerability code flow. Impacted Versions: GitLab CE/EE: all versions from 17.1 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 CVSS 7.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N) Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program CVE-2026-0595 - HTML Injection issue in test case titles impacts GitLab CE/EE GitLab has remediated an issue that, under certain conditions, could have allowed an authenticated user to add unauthorized email addresses to user accounts through HTML injection in test case titles. Impacted Versions: GitLab CE/EE: all versions from 13.9 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 CVSS 7.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N) Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program CVE-2026-1458 - Denial of Service issue in Markdown processor impacts GitLab CE/EE GitLab has remediated an issue that, under certain conditions, could have allowed an unauthenticated user to cause denial of service by uploading specifically crafted files. Impacted Versions: GitLab CE/EE: all versions from 8.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) Thanks maksyche for reporting this vulnerability through our HackerOne bug bounty program CVE-2026-1456 - Denial of Service issue in Markdown Preview impacts GitLab CE/EE GitLab has remediated an issue that could have allowed an unauthenticated user to cause denial of service through CPU exhaustion by submitting specially crafted markdown files that trigger exponential processing in markdown preview. Impacted Versions: GitLab CE/EE: all versions from 18.7 before 18.7.4, and 18.8 before 18.8.4 CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) Thanks maksyche for reporting this vulnerability through our HackerOne bug bounty program CVE-2026-1387 - Denial of Service issue in dashboard impacts GitLab EE GitLab has remediated an issue that could have allowed an authenticated user to cause denial of service by uploading a specially crafted file to the dashboard and repeatedly sending GraphQL queries to parse it. Impacted Versions: GitLab EE: all versions from 15.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program CVE-2025-12575 - Server-Side Request Forgery issue in Virtual Registry impacts GitLab EE GitLab has remediated an issue that, under certain conditions, could have allowed an authenticated user with certain permissions to perform server-side request forgery against internal network services. Impacted Versions: GitLab EE: all versions from 18.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 CVSS 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N) Thanks go7f0qho for reporting this vulnerability through our HackerOne bug bounty program CVE-2026-1094 - Improper Validation issue in diff parser impacts GitLab CE/EE GitLab has remediated an issue that could have allowed an authenticated developer to hide specially crafted file changes from the WebUI. Impacted Versions: GitLab CE/EE: all versions from 18.8 before 18.8.4 CVSS 4.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N) Thanks u3mur4 for reporting this vulnerability through our HackerOne bug bounty program CVE-2025-12073 - Server-Side Request Forgery issue in Git repository import impacts GitLab CE/EE GitLab has remediated an issue that, under certain conditions, could have allowed an authenticated user to perform server-side request forgery against internal services by bypassing protections in the Git repository import functionality. Impacted Versions: GitLab CE/EE: all versions from 18.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) Thanks yunus0x for reporting this vulnerability through our HackerOne bug bounty program CVE-2026-1080 - Authorization Bypass issue in iterations API impacts GitLab EE GitLab has remediated an issue that, under certain conditions, could have allowed an authenticated user to access iteration data from private descendant groups by querying the iterations API endpoint. Impacted Versions: GitLab EE: all versions from 16.7 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) Thanks go7f0 for reporting this vulnerability through our HackerOne bug bounty program CVE-2025-14592 - Missing Authorization issue in GLQL API impacts GitLab CE/EE GitLab has remediated an issue that, under certain conditions, could have allowed an authenticated user to perform unauthorized operations by submitting GraphQL mutations through the GLQL API endpoint. Impacted Versions: GitLab CE/EE: all versions from 18.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 CVSS 3.7 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) Thanks go7f0 for reporting this vulnerability through our HackerOne bug bounty program CVE-2026-1282 - Stored HTML Injection issue in project label impacts GitLab CE/EE GitLab has remediated an issue that could have allowed an authenticated user to inject content into project labels titles. Impacted Versions: GitLab CE/EE: all versions from 18.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 CVSS 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N) Thanks rafabd1 for reporting this vulnerability through our HackerOne bug bounty program CVE-2025-14594 - Authorization Bypass issue in Pipeline Schedules API impacts GitLab CE/EE GitLab has remediated an issue that, under certain conditions, could have allowed an authenticated user to view certain pipeline values by querying the API. Impacted Versions: GitLab CE/EE: all versions from 17.11 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 CVSS 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N) Thanks sndd for reporting this vulnerability through our HackerOne bug bounty program

Bug fixes

18.8.4

• Backport dependency update golang/go to v1.24.12
• Backport of Fix project state getting out of sync when deletion fails
• Backport of 'Add migrations for missing merge_requests stage 2 indexes for bigint'
• Backport-Group/Global search should not show code tab if no zoekt nodes are available & advanced search is off
• [Backport 18.8] Exclude Git LFS paths from Git HTTP throttling
• Backport of Add REST endpoint for seeding external agents
• Backport of Update seeded third party flows descriptions
• Backport of Add seed external agents button to Admin > GitLab Duo
• Backport of 'Fix Duo Enterprise add-on check to use seat assignment instead of namespace membership'
• Backport of 'Add paidTierTrial to subscriptionUsage GraphQL API'
• [Backport] Add preflight checks to resume_indexing rake task
• Backport: DAP onboarding UX
• Backport of 'Add usage billing paid tier trial card'
• Backports 'Fixes duo chat visible if user does not have permission'
• Backport of 'Fix Zoekt indexing by cleaning up replicas without indices'
• Flip dap_onboarding_empty_states back off
• Disable credits page for SM in trial
• Backport of 'Update dependency gitlab-cloud-connector to 1.43.0'
• Backport Go 1.24.12 to 18-8-Stable
• [18.8] Backport Mattermost Security Updates January 15, 2026

18.7.4

• Backport of 'Fix: DAP enablement setting availability'
• 18.7 Backport of 'Fix PipelineSecurityReportFindings query timeout'
• [Backport] Add preflight checks to resume_indexing rake task
• [18.7] Backport Mattermost Security Updates January 15, 2026

18.6.6

• 18.6 Backport of 'Fix PipelineSecurityReportFindings query timeout'
• [Backport] Add preflight checks to resume_indexing rake task
• [18.6] Backport Mattermost Security Updates January 15, 2026

GitLab Ultimate trials updated to include GitLab Duo Agent Platform
GitLab.com Ultimate trials now include evaluation credits for GitLab Duo Agent Platform. On GitLab.com, signing up for an Ultimate trial provides 24 evaluation credits per user for 30 days to exercise agentic AI capabilities such as autonomous task execution and multi‑step workflow orchestration. Self-managed customers should update to GitLab 18.9 upon release to get the best trial experience. GitLab.com free tier namespaces can start an Ultimate trial today.
Start your free trial. Current paid customers can request evaluation credits through their account team and begin technical setup ahead of the 18.9 release contact Sales to learn more.

Important notes on upgrading

This patch includes database migrations that may impact your upgrade process.

Impact on your installation:

• Single-node instances: This patch will cause downtime during the upgrade as migrations must complete before GitLab can start.
• Multi-node instances: With proper zero-downtime upgrade procedures, this patch can be applied without downtime.

Post-deploy migrations

The following versions include post-deploy migrations that can run after the upgrade:

• 18.8.4

To learn more about the impact of upgrades on your installation, see:

• Zero-downtime upgrades for multi-node deployments
• Standard upgrades for single-node installations

Updating

To update GitLab, see the Update page. To update GitLab Runner, see the Updating the Runner page.

Receive Patch Notifications

To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.

GitLab Patch Release: 18.8.4, 18.7.4, 18.6.6 via @gitlab Click to tweet!
GitLab Patch Release: 18.8.4, 18.7.4, 18.6.6 via @gitlab
Click to tweet!

Original source Report a problem

Learn more about GitLab AI Gateway Release: 18.6.2, 18.7.1, and 18.8.1 for GitLab Duo Self-hosted

Today, we are releasing versions 18.6.2, 18.7.1, and 18.8.1 of the GitLab AI Gateway.

These versions contain a critical security fix for GitLab Duo Self-Hosted AI Gateway, and we strongly recommend that all Self Managed customers with GitLab Duo Self-Hosted installations update to one of these versions immediately.

A fix has already been deployed for the GitLab-hosted AI Gateway. Customers using GitLab.com, GitLab Dedicated, and GitLab Self Managed instances with GitLab-hosted AI Gateway are protected and do not need to take action.

Recommended Action

We strongly recommend that all GitLab Duo Self-Hosted installations running a version of self-hosted AI Gateway affected by the issue described below are upgraded to the latest version as soon as possible.

Security fixes

Table of security fixes

| Title | Severity |
| Insecure Template expansion issue impacts GitLab AI Gateway | Critical |

CVE-2026-1868 - Insecure Template expansion issue impacts GitLab AI Gateway

The Duo Workflow Service component of GitLab AI Gateway before versions 18.6.2, 18.7.1, and 18.8.1 is vulnerable to insecure template expansion of user supplied data via crafted Duo Agent Platform Flow definitions. Authenticated access to the GitLab instance is required. This vulnerability could be used to cause Denial of Service or gain code execution on the Gateway.

Impacted Versions: GitLab AI Gateway: all versions from 18.1.6, 18.2.6, and 18.3.1 before 18.6.2, 18.7.1, and 18.8.1
CVSS 9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

This vulnerability was discovered internally by GitLab team member Joern Schneeweisz.

Updating

To update GitLab Duo Self-Hosted, see the GitLab Duo Self-Hosted install documentation.

Receive Patch Notifications

To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.

GitLab AI Gateway Critical Patch Release: 18.6.2, 18.7.1, and 18.8.1 via @gitlab Click to tweet!

Original source Report a problem

GitLab releases 18.8.3, 18.7.3, and 18.6.5

Today we are releasing versions 18.8.3, 18.7.3, and 18.6.5 for GitLab Community Edition and Enterprise Edition.
This patch release delivers a set of targeted fixes focused on reliability, entitlement handling, and feature-flag consistency across GitLab Duo Agent Platform deployments.
The updates reflect real-world usage across diverse environments and usage models, and are part of the normal hardening cycle for a platform that integrates deeply with GitLab workflows, identity, and usage controls. Core agent capabilities and behaviors are unchanged. This patch release does not include any security fixes.

GitLab Community Edition and Enterprise Edition

18.8.3

• Backport of 'Pass user id to workflow service'
• Backport of 'Unlock Duo Workflow foundational flows from experimental features'
• Backport of 'Unlock Duo Workflow foundational flows from experimental features'
• Backport of 'Fix enforced_scans sync with inject_policy'
• Backport of "Open service desk issues and tickets on boards in legacy view instead of drawer"
• Backport of "Add info on UI for new Ticket work item type"
• [Backport]Fix missing Open the file to view all results' link in Zoekt
• Refactor Redis TLS options parsing to fix ActionCable configuration
• Backport of 'Fix route constraint for Credits dashboards'
• Backport of 'Fix Zoekt filter order to avoid performance regression' to 18.8
• Backport: Allow to better debug initialize connection
• Backport of 'Integrate work items into chat notifications as issue events'
• Backport of "Fixes preserving external author on work item move and clone"
• [Backport] Remove search api preload for commits scope
• Backport of "Regenerate openapi docs"

18.7.3

• Backport of 'Add FF to toggle namespace filtering for Duo Chat data'
• Backport of 'Remove duo_workflow_in_ci Feature Flag'
• Backport of 'Remove duo_workflow Feature Flag'
• Backport of 'Pass user id to workflow service'
• Backport of 'Fix enforced_scans sync with inject_policy'
• Backport of 'Fix Zoekt filter order to avoid performance regression'
• [Backport] Remove search api preload for commits scope
• [18.7] Only check optional ActionCable Redis instance if necessary

18.6.5

• Backport of 'Pass user id to workflow service'
• Fix MergeRequestDiff.verifiables scope

Important notes on upgrading

This version does not include any new migrations, and for multi-node deployments, should not require any downtime.
Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure file, which is only used for updates.

Updating

To update, check out our update page.

GitLab subscriptions

Access to GitLab Premium and Ultimate features is granted by a paid subscription.
Alternatively, sign up for GitLab.com to use GitLab's own infrastructure.

Original source Report a problem

Learn more about GitLab Patch Release: 18.8.2, 18.7.2, 18.6.4 for GitLab Community Edition (CE) and Enterprise Edition (EE).

Today, we are releasing versions 18.8.2, 18.7.2, 18.6.4 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.

Recommended Action

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.

Security fixes

Table of security fixes
Title
Severity
Denial of Service issue in in Jira Connect integration impacts GitLab CE/EE
High
Incorrect Authorization issue in Releases API impacts GitLab CE/EE
High
Unchecked Return Value issue in authentication services impacts GitLab CE/EE
High
Infinite Loop issue in Wiki redirects impacts GitLab CE/EE
Medium
Denial of Service issue in API endpoint impacts GitLab CE/EE
Medium
CVE-2025-13927 - Denial of Service issue in Jira Connect integration impacts GitLab CE/EE

• Denial of Service issue in Jira Connect integration impacts GitLab CE/EE
  GitLab has remediated an issue that could have allowed an unauthenticated user to create a denial of service condition by sending crafted requests with malformed authentication data.
  Impacted Versions: GitLab CE/EE: all versions from 11.9 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2
  CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
  Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program.
  CVE-2025-13928 - Incorrect Authorization issue in Releases API impacts GitLab CE/EE
• Incorrect Authorization issue in Releases API impacts GitLab CE/EE
  GitLab has remediated an issue that could have allowed an unauthenticated user to cause a denial of service condition by exploiting incorrect authorization validation in API endpoints.
  Impacted Versions: GitLab CE/EE: all versions from 17.7 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2
  CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
  Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program.
  CVE-2026-0723 - Unchecked Return Value issue in authentication services impacts GitLab CE/EE
• Unchecked Return Value issue in authentication services impacts GitLab CE/EE
  GitLab has remediated an issue that could have allowed an individual with existing knowledge of a victim's credential ID to bypass two-factor authentication by submitting forged device responses.
  Impacted Versions: GitLab CE/EE: all versions from 18.6 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2
  CVSS 7.4 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
  Thanks ahacker1 for reporting this vulnerability through our HackerOne bug bounty program.
  CVE-2025-13335 - Infinite Loop issue in Wiki redirects impacts GitLab CE/EE
• Infinite Loop issue in Wiki redirects impacts GitLab CE/EE
  GitLab has remediated an issue that under certain circumstances could have allowed an authenticated user to create a denial of service condition by configuring malformed Wiki documents that bypass cycle detection.
  Impacted Versions: GitLab CE/EE: all versions from 17.1 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2
  CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
  Thanks sim4n6 for reporting this vulnerability through our HackerOne bug bounty program.
  CVE-2026-1102 - Denial of Service issue in API endpoint impacts GitLab CE/EE
• Denial of Service issue in API endpoint impacts GitLab CE/EE
  GitLab has remediated an issue that could have allowed an unauthenticated user to create a denial of service condition by sending repeated malformed SSH authentication requests.
  Impacted Versions: GitLab CE/EE: all versions from 12.3 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2
  CVSS 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
  This vulnerability has been discovered internally by GitLab team member Thiago Figueiró.

Bug fixes

18.8.2
• Backport of Make external agent configurations GA
• Backport Remove GitLab Dedicated support for semantic search until it's available
• Backport of '18.8.0: Merge Request reviewer dropdown crashes and does not send request'
• Backport of 'Pass user id to workflow service'
• Backport of rake task to seed AI Catalogs with external agents
• Backport of Separate policy logic for AI Catalog Flows and Foundational Flows
18.7.2
• Backport of Fix logic for fetching occurrences related to vulnerabilties
• Backport of "Removes feature flag enablement for svc accounts"
• Backport of flaky import spec quarantine
• Backport 18.7 - Fix searchable dropdown race condition when typing fast
• Backport of Recreate p_sent_notifications.reply_key index
• Fix container_repositories index repair to handle 1-to-1 relationship
• [18.7] Fix migration health check endpoint
• Backport of 'Fix soft wrap not working due to accessibilitySupport conflict'
• Backport of 'Fix git push error for remote flows in self-managed instances'
• [Backport 18.7] Exclude Git LFS paths from Git HTTP throttling
• Backport of Correct Code Review Flow history for beta
• Backport of 'Fix Duo Chat button visibility for Amazon Q'
• Backport Allow user namespaces to be indexed in Zoekt for self-managed
• Backport of 'Disable Sidekiq retries for ClickHouse pipeline/build sync workers'
• Backport of 'Disable async_insert in build and pipeline sync operations'
• 18.7 - Remove manual from SLES-12.5-release-pulp job
18.6.4
• Backport of "Removes feature flag enablement for svc accounts"
• Backport of flaky import spec quarantine
• Backport 18.6 - Fix searchable dropdown race condition when typing fast
• Fix container_repositories index repair to handle 1-to-1 relationship
• Backport of 'Fix soft wrap not working due to accessibilitySupport conflict'
• Backport of 'Fix git push error for remote flows in self-managed instances'
• [Backport 18.6] Exclude Git LFS paths from Git HTTP throttling
• Backport-Allow user namespaces to be indexed in Zoekt for self-managed
• Backport of 'Disable Sidekiq retries for ClickHouse pipeline/build sync workers'
• Backport of 'Disable async_insert in build and pipeline sync operations'
• 18.6 - Remove manual from SLES-12.5-release-pulp job
• Start Pulp FIPS jobs after PC FIPS jobs - 18.6
• [CI] Fix the builder image tags for the check-packages jobs 18-6

Important notes on upgrading

This patch includes database migrations that may impact your upgrade process.
Impact on your installation:
• Single-node instances: This patch will cause downtime during the upgrade as migrations must complete before GitLab can start.
• Multi-node instances: With proper zero-downtime upgrade procedures, this patch can be applied without downtime.
Post-deploy migrations
The following versions include post-deploy migrations that can run after the upgrade:
• 18.7.2
To learn more about the impact of upgrades on your installation, see:
• Zero-downtime upgrades for multi-node deployments
• Standard upgrades for single-node installations

Updating

To update GitLab, see the Update page. To update GitLab Runner, see the Updating the Runner page.

Receive Patch Notifications

To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.

GitLab Patch Release: 18.8.2, 18.7.2, 18.6.4 via @gitlab Click to tweet!

Original source Report a problem

GitLab releases 18.8.1

Today we are releasing versions 18.8.1 for GitLab Community Edition and Enterprise Edition.
These versions resolve a number of regressions and bugs. This patch release does not include any security fixes.

GitLab Community Edition and Enterprise Edition

18.8.1

• Backport: Release AI Catalog External Agents
• Backport of 'Fix summarize review prompt version for DAP Duo Code Review'
• Backport of Disallow creation of new external agents
• Backport of Correct Code Review Flow history for beta
  Backport of Correct Code Review Flow history for beta
• Backport of 'Fix incorrectly shown limited experience alert on pipeline security tab'
• Backport of 'Fix Duo Chat button visibility for Amazon Q'

Important notes on upgrading

This version does not include any new migrations, and for multi-node deployments, should not require any downtime.
Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure file, which is only used for updates.

Updating

To update, check out our update page.

GitLab subscriptions

Access to GitLab Premium and Ultimate features is granted by a paid subscription.
Alternatively, sign up for GitLab.com to use GitLab's own infrastructure.

Original source Report a problem

GitLab 18.8 release post

Milestone

18.8

Issues

• Open: 91
• Closed: 1190

Assets

• 5
• Source code (zip) Download
• Source code (tar.gz) Download
• Source code (tar.bz2) Download
• Source code (tar) Download
• Other

Release notes

• 12 new features
• 4087 total badges
• Software supply chain security
• Centralized credential management API for group owners (SaaS only) : System Access
• Group Owners can disable SSH keys for enterprise users (SaaS only) : System Access

Ultimate

• 4 new features
• 709 total badges
• C/C++ support in Advanced SAST now generally available : SAST
• Multiple Container Scanning : Container Scanning
• GitLab Duo Security Analyst Agent now generally available : Vulnerability Management , Dependency Management
• Auto-dismiss irrelevant vulnerabilities with vulnerability management policies : Security Policy Management

Premium

• 5 new features
• 795 total badges
• GitLab Duo Agent Platform now generally available : Duo Agent Platform
• Turn the GitLab Duo Agent Platform on or off : Duo Agent Platform
• Group access control for GitLab Duo features : Duo Agent Platform
• GitLab Duo Agent Platform for GitLab Duo Self-Hosted (offline licensing) now generally available (self-managed only) : Self-Hosted Models

Plan

• GitLab Duo Planner Agent now generally available : Portfolio Management

Core

• 1 new features
• 2459 total badges
• Verify
• GitLab Runner 18.8 : GitLab Runner Core

...

Original source Report a problem

18.8 Release Highlights

Today, we are excited to announce the release of GitLab 18.8 with GitLab Duo Agent Platform now generally available, GitLab Duo Planner Agent, GitLab Duo Security Analyst Agent, auto-dismiss irrelevant vulnerabilities, and much more!

These are just a few highlights from the 10+ improvements in this release. Read on to check out all of the great updates below.

To the wider GitLab community, thank you for the 119 contributions you provided to GitLab 18.8! At GitLab, everyone can contribute and we couldn't have done it without you!

To preview what's coming in next month’s release, check out our What's new page.

Notable Contributor

This month's Notable Contributor is awarded to Wesley Yarde

This month’s Notable Contributor is Wesley Yarde for building a foundational new feature that allows organizations to disable SSH keys for their enterprise users.

Wesley’s contribution stands out for several reasons:

• Security and compliance: This feature enables organizations to enforce SSH key requirements and enhance security across their enterprise.
• Foundational work: With no existing implementation to follow, Wesley had to collaborate extensively with the GitLab team to define requirements and architecture from scratch.
• First contribution: Remarkably, this was Wesley’s first contribution to GitLab—demonstrating exceptional ability to navigate a complex codebase and tackle a challenging feature.
• Enables future development: This work establishes the foundation for similar features like instance-level SSH key disabling and service account controls.

The implementation spanned multiple merge requests (!205020, !210482) with thorough review cycles. Despite the complexity, Wesley demonstrated outstanding collaboration and patience throughout the process.

“It was a pleasure to collaborate with Wesley on this feature request! While both the contributor and reviewers may have felt that the review process was overwhelming, both sides showed understanding and superb collaboration to ensure the implementation is solid and complete.” — Bogdan Denkovych, who nominated Wesley for this recognition.

Congratulations Wesley, and thank you for this valuable contribution to GitLab!

18.8 Key improvements released in GitLab 18.8

GitLab Duo Agent Platform now generally available

GitLab Duo Agent Platform is now generally available, bringing agentic AI orchestration across your entire software development lifecycle. Unlike AI tools that speed up individual tasks in isolation, the Agent Platform helps teams coordinate AI agents across planning, building, securing, and shipping software, closing the gap between faster individual work and the collaborative, multi-stage reality of software delivery.

The platform provides a central AI Catalog where teams can discover, manage, and share agents and flows across their organization. Built-in foundational agents like Planner, Security Analyst, and Data Analyst handle structured work at key decision points, while customizable flows automate multi-step agents and tasks in development workflows from issue to merge request, CI/CD migration, pipeline troubleshooting, and code reviews.

With governance controls, usage visibility, and flexible deployment options including self-hosted models for offline environments, organizations can adopt AI at scale with the transparency and control they need.

GitLab Premium and Ultimate users can start using the Agent Platform today on GitLab.com and GitLab Self-Managed instances with promotional GitLab Credits.

GitLab Duo Planner Agent now generally available

The Planner Agent is now generally available! The Planner Agent is a foundational agent built to support product managers directly in GitLab.

Use the Planner Agent to create, edit, and analyze GitLab work items. Instead of manually chasing updates, prioritizing work, or summarizing planning data, the Planner Agent helps you analyze backlogs, apply frameworks like RICE or MoSCoW, and surface what truly needs your attention. It’s like having a proactive teammate who understands your planning workflow and works with you to make better, more efficient decisions.

Please provide your feedback in issue 583008.

GitLab Duo Security Analyst Agent now generally available

The GitLab Duo Security Analyst Agent, introduced as beta in GitLab 18.5, is now generally available in GitLab 18.8.

The Security Analyst Agent enables engineers to manage vulnerabilities through natural language commands in GitLab Duo Agentic Chat. Instead of manually clicking through vulnerability dashboards or writing custom scripts for bulk operations, security teams can now triage, assess, and provide guidance for vulnerabilities in Chat conversations.

As a foundational agent, the Security Analyst Agent is available by default in GitLab Duo Agentic Chat, with no manual setup required.

Auto-dismiss irrelevant vulnerabilities with vulnerability management policies

Security teams can now automatically dismiss vulnerabilities that don’t apply to their organization using vulnerability management policies. Dismissing vulnerabilities that are not relevant to your organization reduces noise and helps developers focus on vulnerabilities that pose actual risk.

You can create policies to auto-dismiss vulnerabilities based on:

• File path
• Directory
• Identifier (CVE, CWE, or OWASP)

Auto-dismissed vulnerabilities appear in the merge request’s security widget with an Auto-dismissed label and are tracked in the vulnerability report activity with a dismissal reason for audit purposes.

18.8 Other improvements in GitLab 18.8

GitLab Runner 18.8

We’re also releasing GitLab Runner 18.8 today! GitLab Runner is the highly-scalable build agent that runs your CI/CD jobs and sends the results back to a GitLab instance. GitLab Runner works in conjunction with GitLab CI/CD, the open-source continuous integration service included with GitLab.

What’s New:

• Improved error messages for job inputs interpolation errors

Bug Fixes:

• WaitForServicesTimeout no longer supports -1 to disable timeout
• Custom URL breaks submodule authentication with insteadOf rules
• Custom runner short-token on Windows 2025 uses 9 characters instead 8
• PowerShell default helper image missing for Docker executor in GitLab Runner 17.8.3
• GitLab Runner with Docker Autoscaler does not reuse available cache volumes
• VirtualBox leaves dangling VM when job is cancelled

The list of all changes is in the GitLab Runner CHANGELOG.

Multiple Container Scanning

In GitLab 18.8, we released multi-container scanning in Beta.
Users are now able to pass in an array of images to be scanned as part of many Container Scanning jobs.

Group Owners can disable SSH keys for enterprise users

Group Owners can now disable SSH keys for all enterprise users in their group. When disabled, users cannot add new SSH keys and their existing keys are deactivated. This applies to all enterprise users in the group, including those with the Owner role.

Thank you to Wesley Yarde for helping build this feature!

Group access control for GitLab Duo features

You can now define group access rules to control who can use GitLab Duo features, enabling flexible adoption strategies from immediate organization-wide access to phased rollouts.
This feature provides granular governance control so you can scale adoption at your pace while maintaining security and compliance.

C/C++ support in Advanced SAST now generally available

Cross-file, cross-function scanning support for C/C++ is now generally available in GitLab Advanced SAST.

Centralized credential management API for group owners

The Credentials Inventory API is now available for Enterprise users on GitLab.com. This adds credential management capabilities previously only available on self-hosted instances, and enables organizations to better manage and secure their authentication tokens and keys.

The Credentials Inventory API provides programmatic access to view credentials across your organization, including:

• Personal Access Tokens (PATs)
• Group Access Tokens (GrATs)
• Project Access Tokens (PrATs)
• SSH Keys
• GPG Keys

This API complements the existing Credentials Inventory UI, allowing enterprise administrators to automate credential management tasks that previously required manual intervention. With the Credentials Inventory API, you can:

• Automate security workflows: Build automated processes to monitor, audit, and revoke credentials.
• Enforce credential policies: Identify and revoke unused or expired tokens.
• Improve security posture: Reduce the risk of credential misuse through regular auditing.
• Streamline operations: Integrate credential management into your existing security tools and workflows.

GitLab Duo Agent Platform for GitLab Duo Self-Hosted (offline licensing) now generally available

GitLab Duo Agent Platform is now generally available for Duo Self-Hosted. This feature is available to GitLab Self-Managed customers with an offline license, and uses seat-based pricing.

Self-Managed administrators can configure compatible models for use with GitLab Duo Agent Platform. Administrators using AWS Bedrock or Azure OpenAI can also configure Anthropic Claude or OpenAI GPT models.

Turn the GitLab Duo Agent Platform on or off

You can now turn on or off the GitLab Duo Agent Platform, including GitLab Duo Chat (Agentic), agents, and flows for a top-level group or the entire instance. When this setting is turned off, these features are not available.

Bug fixes, performance improvements, and UI improvements

At GitLab, we’re dedicated to providing the best possible experience for our users. With every release, we work tirelessly to fix bugs, improve performance, and enhance UI. Whether you’re one of the over 1 million users on GitLab.com or using our platform elsewhere, we’re committed to making sure your time with us is smooth and seamless.

Click the links below to see all the bug fixes, performance enhancements, and UI improvements we’ve delivered in 18.8.

• Bug fixes
• Performance improvements
• UI improvements

Deprecations

New deprecations and the complete list of all features that are currently deprecated can be viewed in the GitLab documentation. To be notified of upcoming breaking changes, subscribe to our Breaking Changes RSS feed.

Removals and breaking changes

The complete list of all removed features can be viewed in the GitLab documentation. To be notified of upcoming breaking changes, subscribe to our Breaking Changes RSS feed.

• Static compliance violations report

Changelog

Please check out the changelog to see all the named changes:

• GitLab
• GitLab Runner
• GitLab Workflow for VS Code
• GitLab CLI

Installing

If you are setting up a new GitLab installation please see the download GitLab page.

Updating

Check out our update page.

Questions?

We'd love to hear your thoughts! Visit the GitLab Forum and let us know if you have questions about the release.

GitLab Subscription Plans

• Free-forever features for individual users
• Enhance team productivity and coordination
• Organization wide security, compliance, and planning
• Try all GitLab features - free for 30 days

Original source Report a problem