Gitlab Release Notes

Learn more about GitLab Patch Release: 18.5.1, 18.4.3, 18.3.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).
Today, we are releasing versions 18.5.1, 18.4.3, 18.3.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.

Recommended Action

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.

Security fixes

Table of security fixes

• Improper access control issue in runner API impacts GitLab EE (High)
• Denial of service issue in event collection impacts GitLab CE/EE (High)
• Denial of service issue in JSON validation impacts GitLab CE/EE (High)
• Denial of service issue in upload impacts GitLab CE/EE (Medium)
• Incorrect Authorization issue in pipeline builds impacts GitLab CE (Medium)
• Business logic error issue in group memberships impacts GitLab EE (Low)
• Missing authorization issue in quick actions impacts GitLab EE (Low)

CVE-2025-11702 - Improper access control issue in runner API impacts GitLab EE

GitLab has remediated an issue that could have allowed an authenticated user with specific permissions to hijack project runners from other projects.
Impacted Versions: GitLab EE: all versions from 17.1 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1
CVSS 8.5 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)
Thanks iamgk808 for reporting this vulnerability through our HackerOne bug bounty program

CVE-2025-10497 - Denial of service issue in event collection impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an unauthenticated user to cause a denial of service condition by sending specially crafted payloads.
Impacted Versions: GitLab CE/EE: all versions from 17.10 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program

CVE-2025-11447 - Denial of service issue in JSON validation impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an unauthenticated user to cause a denial of service condition by sending GraphQL requests with crafted JSON payloads.
Impacted Versions: GitLab CE/EE: all versions from 11.0 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program

CVE-2025-11974 - Denial of service issue in upload impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an unauthenticated user to create a denial of service condition by uploading large files to specific API endpoints.
Impacted Versions: GitLab CE/EE: all versions from 11.7 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
This vulnerability has been discovered internally by GitLab team member David Fernandez

CVE-2025-11971 - Incorrect Authorization issue in pipeline builds impacts GitLab CE

GitLab has remediated an issue that could have allowed an authenticated user to trigger unauthorized pipeline executions by manipulating commits.
Impacted Versions: GitLab EE: all versions from 10.6 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1
CVSS 6.5 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N)

CVE-2025-6601 - Business logic error issue in group memberships impacts GitLab EE

GitLab has remediated an issue that under certain conditions could have allowed authenticated users to gain unauthorized project access by exploiting the access request approval workflow.
Impacted Versions: GitLab EE: all versions from 18.4 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1
CVSS 3.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N)
Thanks rhidayahh for reporting this vulnerability through our HackerOne bug bounty program

CVE-2025-11989 - Missing authorization issue in quick actions impacts GitLab EE

GitLab has remediated an issue that could have allowed an authenticated user to execute unauthorized quick actions by including malicious commands in specific descriptions.
Impacted Versions: GitLab EE: all versions from 17.6 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1
CVSS 3.7 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N)
This vulnerability has been discovered internally by GitLab team member Eva Kadlecová

Bug fixes

18.5.1

• [18.5] Downgrade redis-rb gem to v5.4.0
• [18.5] Fix connection pool errors when health check is running
• Backport: Test: dismiss duo popover
• Backport of 'Fix work item status fallback to use lifecycle-aware default'
• Support stable branch pipelines (18.5 backport)

18.4.3

• pgbouncer: Use new bitnamilegacy container registry (18.4 backport)
• [18.4] Revert discarded database pool check in load balancer
• Backport 'Fix group wiki inaccessible after deleting and creating group with the same name'
• Backport ElasticIndexBulkCronWorker throwing NoMethodError for epics
• [18.4] Fix Geo routes leaking to other specs
• Backport Allow Zoekt in Search API for blobs scope when Elasticsearch disabled
• Backport fix-agentic-chat-service-url-for-shm for 18.4 EE
• Backport Zoekt Kaminari raises an exception if total_count gets negative
• Backport (18.4) "Update dependency @gitlab/web-ide to ^0.0.1-dev-20250925110326"
• Backport branch 'sh-fix-login-issues-ubuntu-fips' into 'master'
• Backport "Improve performance of ready to merge GraphQL query"
• [18.4] Fix flaky callout dismissal specs
• Backport: Ensure consistent approval permissions between UI, API and graphql
• Backport of 'Show whitespace message when there's nothing to show'
• [18.4] Downgrade redis-rb gem to v5.4.0
• [18.4] Fix connection pool errors when health check is running
• Backport 'Remove available auto merge strategies from ready to merge query'
• 18.4 Backport of 'Fix query for finding existing Jira issues for vulnerabilities'
• Backport: Test: dismiss duo popover
• Support stable branch pipelines (18.4 backport)

18.3.5

• pgbouncer: Use new bitnamilegacy container registry (18.3 backport)
• [18.3] Prevent session creation for sessionless users
• Backport of 'Fix Start free trial link for self-managed instances'
• Backport 'Fix SlackIntegration duplicate bug when inheriting from parent' to 18.3
• Backport ElasticIndexBulkCronWorker throwing NoMethodError for epics
• Backport of 'Recreate SlackIntegration records on descendant integration on update'
• [18.3] Fix json validation for elasticsearch_aws_role_arn
• [18.3] Fix flaky callout dismissal specs
• [18.3] Fix Geo routes leaking to other specs
• Backport (18.3) "Update dependency @gitlab/web-ide to ^0.0.1-dev-20250925110326"
• Backport of 'Show whitespace message when there's nothing to show'
• [18.3] Downgrade redis-rb gem to v5.4.0
• Backport: Test: dismiss duo popover 18-3
• Support stable branch pipelines (18.3 backport)

Important notes on upgrading

These versions do not include any new migrations, and for multi-node deployments, should not require any downtime.
Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure file, which is only used for updates.

Updating

To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page.

Receive Patch Notifications

To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.

Original source Report a problem

Added (1 change)

• Remove check_f02a3f53bf not null constraint

Fixed (3 changes)

• Prevent session creation for sessionless users
• Remove non Saas instances from calling CDOT for trial duration GitLab Enterprise Edition
• Transfer start and due dates data upon work item move or clone

Security (5 changes)

• Log JSON bytesize as well (merge request)
• Adjust complexity for blob data fields (merge request)
• Some mutations have read_api scope (merge request)
• Reject irrelevant 1xx responses (merge request)
• Restrict manual variables to explicit guests in internal projects (merge request)

Original source Report a problem

GitLab Patch Release: 18.4.2, 18.3.4, 18.2.8

Learn more about GitLab Patch Release: 18.4.2, 18.3.4, 18.2.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).
Today, we are releasing versions 18.4.2, 18.3.4, 18.2.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.

Recommended Action

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.

Security fixes

Table of security fixes
Title Severity
Incorrect authorization issue in GraphQL mutations impacts GitLab EE High
Denial of Service issue in GraphQL blob type impacts GitLab CE/EE High
Missing authorization issue in manual jobs impacts GitLab CE/EE Medium
Denial of Service issue in webhook endpoints impacts GitLab CE/EE Medium
CVE-2025-11340 - Incorrect authorization issue in GraphQL mutations impacts GitLab EE
GitLab has remediated an issue that, under certain conditions, could have allowed authenticated users with read-only API tokens to perform unauthorized write operations on vulnerability records by exploiting incorrectly scoped GraphQL mutations.
Impacted Versions: GitLab EE: all versions from 18.3 to 18.3.4, 18.4 to 18.4.2
CVSS: 7.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N)
This vulnerability has been discovered internally by GitLab team member Brian Williams.
CVE-2025-10004 - Denial of Service issue in GraphQL blob type impacts GitLab CE/EE
GitLab has remediated an issue that could make the GitLab instance unresponsive or degraded by sending crafted GraphQL queries requesting large repository blobs.
Impacted Versions: GitLab CE/EE: all versions from 13.12 to 18.2.8, 18.3 to 18.3.4, and 18.4 to 18.4.2
CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program.
CVE-2025-9825 - Missing authorization issue in manual jobs impacts GitLab CE/EE
GitLab has remediated an issue that could have allowed authenticated users without project membership to view sensitive manual CI/CD variables by querying the GraphQL API.
Impacted Versions: GitLab CE/EE: all versions from 13.7 to 18.2.8, 18.3 before 18.3.4, and 18.4 before 18.4.2
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
CVE-2025-2934 - Denial of Service issue in webhook endpoints impacts GitLab CE/EE
GitLab has remediated an issue impacting an upstream Ruby Core library that could have allowed an authenticated user to create a denial of service condition by configuring malicious webhook endpoints that send crafted HTTP responses. This issue was reported to Ruby Core maintainers on July 17, 2025.
Impacted Versions: GitLab CE/EE: all versions from 5.2 prior to 18.2.8, 18.3 prior to 18.3.4, and 18.4 prior to 18.4.2
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)
Thanks ppee for reporting this vulnerability through our HackerOne bug bounty program.

Bug fixes

18.4.2

• Backport of 'Added safety chaining to pipeline helper'
• Workhorse: Improve large HTTP handling for DWS proxy
• Backport of 'Fix: no implicit conversion of String into Array' in Geo::Event workers
• Backport: Fix agentic chat
• [18.4] Clear detached partitions before tests run
• Backport 'Fixes target projects endpoint 404 on compare revisions view'
• Transfer start and due dates data upon work item move or clone
• Backport of 'Fix reassignment dropdown in CE'
• Transfer health status data upon work item move or clone
• Backport of Revert "Merge branch 'ai-catalog-item-consumers-graphql' into 'master'"
• Backport of CI_MERGE_REQUEST_DIFF_BASE_SHA not updating on branch change
• Backport of "Use key-value structure in Release Environment MR label script"
• Backport of 'Fix Start free trial link for self-managed instances'
• Update dependency gitlab-fog-azure-rm to '~> 2.4.0'
• Backport of 'Remove non Saas instances from calling CDOT for trial duration'
• Backport of 'Remove check_f02a3f53bf not null constraint'
• 18.4 backport of 'Remove unknown licenses from sbom dependency list export'
• [18.4] Fix json validation for elasticsearch_aws_role_arn
• Backport: Change the model selection FF used for self managed
• [18.4] Prevent session creation for sessionless users
• Add a gitlab::config alias for package::config recipe
  18.3.4
• Workhorse: Improve large HTTP handling for DWS proxy
• [18.3] Clear detached partitions before tests run
• Backport 'Fixes target projects endpoint 404 on compare revisions view'
• Transfer start and due dates data upon work item move or clone
• Backport of 'Fix reassignment dropdown in CE'
• Transfer health status data upon work item move or clone
• Backport of "Use key-value structure in Release Environment MR label script"
• Update dependency gitlab-fog-azure-rm to '~> 2.4.0'
• Backport of 'Remove non Saas instances from calling CDOT for trial duration'
• 18.3 backport of 'Remove unknown licenses from sbom dependency list export'
• Update docs hugo jobs' image to use latest image
  18.2.8
• [18.2] Allow elastic client adapter to be set
• [18.2] Clear detached partitions before tests run
• Transfer start and due dates data upon work item move or clone
• Backport of 'Fix reassignment dropdown in CE'
• Transfer health status data upon work item move or clone
• Backport of "Use key-value structure in Release Environment MR label script"
• Update dependency gitlab-fog-azure-rm to '~> 2.4.0'
• [18.2] Fix json validation for elasticsearch_aws_role_arn
• 18.2 backport of 'Remove unknown licenses from sbom dependency list export'
• Backport of 'Fix Start free trial link for self-managed instances'
• Update docs hugo jobs' image to use latest image

Important notes on upgrading

This patch includes database migrations that may impact your upgrade process.
Impact on your installation:

• Single-node instances: This patch will cause downtime during the upgrade as migrations must complete before GitLab can start.
• Multi-node instances: With proper zero-downtime upgrade procedures, this patch can be applied without downtime.

Post-deploy migrations

The following versions include post-deploy migrations that can run after the upgrade:

• 18.4.2

To learn more about the impact of upgrades on your installation, see:

• Zero-downtime upgrades for multi-node deployments
• Standard upgrades for single-node installations

Updating

To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page.

Receive Patch Notifications

To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.

GitLab Patch Release: 18.4.2, 18.3.4, 18.2.8 via @gitlab Click to tweet!

Original source Report a problem

Raw content

89% complete

Milestone
18.5

Issues
2099

Open:
226

Closed:
1873

Assets 5
Source code (zip) Download
Source code (tar.gz) Download
Source code (tar.bz2) Download
Source code (tar) Download
Other

GitLab 18.5 release post
Release notes
33 new features
3906 total badges
Ultimate
16 new features
692 total badges
Application security testing
DAST authentication scripts : DAST
C/C++ support for Advanced SAST : SAST
Secret validity checks is in beta : Secret Detection
Customizable detection logic for Advanced SAST : SAST
Advanced SAST diff-based scanning in merge requests : SAST
Dependency scanning in limited availability : Software Composition Analysis
Static reachability in limited availability and experimental Java support : Software Composition Analysis
Software supply chain security
GitLab Security Analyst Agent for Duo Agent Catalog (beta) : Vulnerability Management , Dependency Management
Instance-wide compliance and security policy management (self-managed only) : Compliance Management , Security Policy Management
New vulnerability management features in GitLab Duo Agentic Chat : Vulnerability Management , Dependency Management
Control requests for external control statuses : Compliance Management
Show only active vulnerabilities in the dependency list : Dependency Management
Security risk management
Expose original severity from the vulnerabilities API : Vulnerability Management
Time windows for merge request approval policies : Security Policy Management
Refreshed security finding statuses in the pipeline Security tab : Vulnerability Management
Exceptions to bypass merge request approval policies : Security Policy Management
Premium
8 new features
772 total badges
GPT-5 now available as a model option for GitLab Duo Agentic Chat : Model Personalization
Additional triggers for CLI agents : Duo Agent Platform
GitLab Duo Agent Platform for GitLab Duo Self-Hosted now in beta (self-managed only) : Self-Hosted Models
Codestral now supported for GitLab Duo Chat (Classic) (self-managed only) : Self-Hosted Models
GPT OSS Models compatible with GitLab Duo Agent Platform for GitLab Duo Self-Hosted (self-managed only) : Self-Hosted Models
Plan
GitLab Duo Planner, a specialized agent and Product Manager team member (beta) : Portfolio Management
Configure status lifecycles for issues and tasks : Team Planning
Package
Maven virtual registry now available in beta : Virtual Registry
Core
9 new features
2442 total badges
Pick up where you left off on the new personal homepage : Navigation
Enhanced Admin area groups list (self-managed only) : Groups & Projects
Updated navigation experience for groups : Groups & Projects
Improved inactive item management for groups and projects : Groups & Projects
Plan
Format markdown tables in the plain text editor : Markdown
View child task completion in issues : Team Planning
Verify
Variable expansion in environment deployment_tier : Environment Management
GitLab Runner 18.5 : GitLab Runner Core
Application security testing
Increased rule coverage for secret push protection and pipeline secret detection : Secret Detection

Original source Report a problem

Milestone

18.4

Issues

2140

• Open: 198
• Closed: 1942

Assets

5

• Source code (zip) Download
• Source code (tar.gz) Download
• Source code (tar.bz2) Download
• Source code (tar) Download
• Other

GitLab 18.4 release post

Release notes

• 25 new features
• 3993 total badges
• Create
• Ultimate
• 4 new features
• 676 total badges
• Expanded AWS region support for GitLab Dedicated (self-managed only) : GitLab Dedicated , Switchboard
• Application security testing
• Significantly faster Advanced SAST scanning : SAST
• Operational Container Scanning severity threshold configuration : Software Composition Analysis
• Security risk management
• Vulnerability details shows the auto-resolve pipeline ID
• Premium
• 9 new features
• 764 total badges
• GitLab Duo Model Selection now generally available : Model Personalization
• End user model selection now available with GitLab Duo : Model Personalization
• GitLab Duo context exclusion : Duo Agent Platform , Duo Chat , Code Suggestions , Vulnerability Management
• GitLab Duo AI Catalog : Duo Agent Platform , Duo Chat
• GitLab Duo Agent Platform now available on GitLab Duo Self-Hosted (self-managed only) : Self-Hosted Models
• Automatic Duo Code Review for groups and applications : Code Review Workflow
• Additional supported models for GitLab Duo Self-Hosted (self-managed only) : Self-Hosted Models
• Duo Code Review on GitLab Duo Self-Hosted is generally available (self-managed only) : Code Suggestions , Self-Hosted Models
• Plan
• Issue boards now show complete epic hierarchies : Portfolio Management
• Core
• 11 new features
• 2433 total badges
• GitLab Knowledge Graph : Duo Agent Platform , Duo Chat , Code Suggestions , Vulnerability Management
• Publish OpenTofu modules and providers to the GitLab container registry with CI/CD templates : Infrastructure as Code
• Plan
• Configure how to view issues from the Issues page : Portfolio Management
• Enhanced parent filtering for epic and issue lists : Portfolio Management
• Text editors toolbar parity : Markdown
• Verify
• Simulate CI/CD Pipelines against different branch : Pipeline Composition
• GitLab Runner 18.4 : GitLab Runner Core
• Application security testing
• Pipeline secret detection now excludes certain files and directories by default : Secret Detection
• Secret detection analyzer Git fetching improvements : Secret Detection
• Software supply chain security
• CI/CD job tokens can authenticate Git push requests : System Access
• Enhanced controls for who can download job artifacts : Artifact Security

Original source Report a problem

Milestone

18.3

Issues

2619

• Open: 127
• Closed: 2492

Assets

5

Source code (zip) Download
Source code (tar.gz) Download
Source code (tar.bz2) Download
Source code (tar) Download
Other

GitLab 18.3 release post

Release notes

36 new features
3968 total badges

Software supply chain security

Enterprise user enhancements (SaaS only) : System Access
Ultimate

11 new features
672 total badges

Application security testing

Improved file location information for Dependency Scanning analyzer : Software Composition Analysis
User-defined source for license information : Software Composition Analysis
Concise DAST job output : DAST

Software supply chain security

Surfacing violations of compliance framework controls (Beta) : Compliance Management
Custom admin role (self-managed only) : Permissions
Instance level compliance and policy management (Beta) (self-managed only) : Compliance Management , Security Policy Management
Security risk management

Grant pipeline execution policies access to CI/CD configurations via API

Security Policy Management
Group by OWASP 2021 in the vulnerability report : Vulnerability Management
Scan execution policy templates : Security Policy Management
Security policy audit events : Security Policy Management
Service account and access token exceptions for approval policies : Security Policy Management

Premium

11 new features
755 total badges

Code Review available on GitLab Duo Self-Hosted (Beta) (self-managed only) : Code Suggestions , Self-Hosted Models

Original source Report a problem

Milestone 18.2

Issues

• Open: 100
• Closed: 2045

Assets

• 5

Source code

• (zip) Download
• (tar.gz) Download
• (tar.bz2) Download
• (tar) Download

Other

GitLab 18.2 release post

Release notes

• 35 new features
• 3814 total badges

Ultimate

• 18 new features
• 661 total badges

Package

• Improve security with immutable container tags (Beta) : Container Registry
• Application security testing
• Container Scanning support for multi-architecture container images : Software Composition Analysis
• Static reachability support for JavaScript : Software Composition Analysis
• Improved support for verifying successful DAST login : DAST
• DAST support for time-based one-time password MFA : DAST
• Software supply chain security
• New group overview compliance dashboard : Compliance Management
• Deactivate streaming to an audit streaming destination : Audit Events
• Filter functionality for all audit streaming destinations : Compliance Management
• Credentials inventory now includes service account tokens : System Access
• Custom admin role in beta (self-managed only) : Permissions
• Security risk management
• Download a PDF export of security reports
• Centralized Security Policy Management (Beta) (self-managed only) : Security Policy Management
• Vulnerability ID added to vulnerability report CSV export
• Reachability filter in the vulnerability report : Vulnerability Management
• Vulnerability GraphQL API returns additional information : Vulnerability Management
• Source branch pattern exceptions for approval policies : Security Policy Management
• Display dependency paths : Dependency Management
• Security Inventory for comprehensive asset visibility now in beta : Security Asset Inventories

Premium

• 9 new features

• 744 total badges

• Duo Agent Platform in the IDE (Beta) : Editor Extensions

• Group and project controls for Premium and Ultimate with GitLab Duo : Code Suggestions , Duo Chat

• Mistral Small now available for GitLab Duo Self-Hosted (self-managed only) : Self-Hosted Models

Plan

• Custom workflow statuses for issues and tasks : Team Planning
• Configure epic display preferences : Portfolio Management
• Open epics in a drawer or the full page on the Epics page : Portfolio Management
• Assign milestones to epics for enhanced long-term planning : Portfolio Management
• Assign epics to team members : Portfolio Management

Create

• Map workspace Kubernetes agents for the instance (self-managed only) : Workspaces

Core

• 8 new features
• 2409 total badges
• Administrators can reassign contributions without user confirmation (self-managed only) : Importers
• Reassign from placeholder users to inactive users (self-managed only) : Importers

Plan

• Sorting and pagination for GLQL views : Wiki , Team Planning
• Work item references and editor improvements for GitLab Flavored Markdown : Markdown

Create

• New merge request homepage : Code Review Workflow

Verify

• GitLab Runner 18.2 : GitLab Runner Core
• Application security testing
• Improved archive file support for Container Scanning : Software Composition Analysis
• Software supply chain security
• Fine-grained permissions for CI/CD job tokens : Permissions
• SSH key security warnings : System Access

Original source Report a problem

GitLab 18.1 release post

Release notes

• 98% complete

• Milestone

• 18.1

• Issues

• 2273

• Open:

• 56

• • Closed:

• 2217

• Assets 5

• • Source code (zip) Download
• • Source code (tar.gz) Download
• • Source code (tar.bz2) Download
• • Source code (tar) Download
• • Other

• 25 new features

• 3897 total badges

• Software supply chain security

• Compromised password detection for native GitLab credentials (SaaS only) : System Access

• Ultimate

• 9 new features

• 643 total badges

• Application security testing

• DAST detection parity with secret detection default rules : DAST

• PHP support for Advanced SAST : SAST

• Software supply chain security

• Define a Name for external custom controls : Compliance Management

• Pagination for requirements in compliance frameworks UI : Compliance Management

• UI performance and filtering improvements for compliance center : Compliance Management

• Control status pop-up in the compliance status report : Compliance Management

• Increased SAST coverage for Duo Vulnerability Resolution : Vulnerability Management

• Security risk management

• Filter by component version in the dependency list

• Variable precedence controls in pipeline execution policies : Security Policy Management

• Premium

• 7 new features

• 735 total badges

• Multiple matches per file in code search

• Plan

• Epic support for GitLab Query Language views Beta : Wiki , Team Planning

• Create

• Enhanced CODEOWNERS file validation with permission checks : Source Code Management

• Custom workspace initialization with postStart events : Workspaces

• Duo Code Review is now generally available : Code Review Workflow

• Package

• Maven virtual registry now available in beta : Virtual Registry

• Software supply chain security

• Subscribe to service account pipeline notifications : System Access

• Core

• 8 new features

• 2401 total badges

• New accessLevels argument for projectMembers in GraphQL API : Groups & Projects

• Create

• Enhanced merge request review experience with review panel : Code Review Workflow

• View downstream pipeline job logs in VS Code : Editor Extensions

• Verify

• GitLab Runner 18.1 : GitLab Runner Core

• Software supply chain security

• View inactive personal access tokens : System Access

• Filter for bot and human users (self-managed only) : System Access

• ORCID identifier in user profile : User Profile

• Achieve SLSA Level 1 compliance with CI/CD components : Artifact Security

Original source Report a problem

GitLab 18.0 release post

Release notes

• 97% complete
• Milestone
• 18.0
• Issues
• 1940
• Open:
• 49
• •
• Closed:
• 1891
• Assets 5
• Source code (zip) Download
• Source code (tar.gz) Download
• Source code (tar.bz2) Download
• Source code (tar) Download
• Other
• GitLab 18.0 release post
• Release notes
• 35 new features
• 3872 total badges
• Ultimate
  • 6 new features
  • 634 total badges
  • Internal releases available for GitLab Dedicated (self-managed only) : GitLab Dedicated
  • Software supply chain security
  • New permissions for custom roles : Permissions
  • Security risk management
  • Exclude packages from license approval rules : Security Policy Management
  • Configure Jira issues from vulnerabilities using the Jira integration API
  • Improved traceability of redetected vulnerabilities
  • Bulk add vulnerabilities to issues from the vulnerability report : Vulnerability Management
• Premium
  • 12 new features
  • 728 total badges
  • GitLab Premium and Ultimate with Duo : Code Suggestions , Duo Chat
  • Repository X-Ray now available for GitLab Duo Self-Hosted (self-managed only) : Self-Hosted Models
  • List only Enterprise users for contributions reassignment on GitLab.com : Importers
• Create
  • Automatic reviews with Duo Code Review : Code Review Workflow
  • Code Suggestions prompt caching : Code Suggestions
  • Improved Duo Code Review context : Code Review Workflow
  • Create a workspace from merge requests : Workspaces
  • Shared Kubernetes namespace for workspaces : Workspaces
• Software supply chain security
  • Display and filter archived projects in the compliance projects report : Compliance Management
  • Disable user invitations : System Access
  • LDAP authentication with GitLab username (self-managed only) : System Access
  • Support for SHA256 SAML certificates : System Access
• Core
  • 16 new features
  • 2393 total badges
  • Improved pod status visualizations in the dashboard for Kubernetes
  • Support for multiple workspaces in the GitLab for Slack app (self-managed only) : Integrations
  • Delete groups and placeholder users : Importers
  • GitLab chart 9.0 released with breaking changes (self-managed only) : Cloud Native Installation , Omnibus Package
  • Deletion protection available for all users : Groups & Projects
  • Delayed project deletion for user namespaces : Groups & Projects
  • New active parameter for Groups and Projects REST APIs : Groups & Projects
• Plan
  • GitLab Query Language views enhancements : Wiki , Team Planning
  • Pages template improvements : Pages
• Create
  • View open merge requests targeting files : Source Code Management
• Verify
  • New CI/CD analytics view for projects in limited availability : Fleet Visibility
  • GitLab Runner 18.0 : GitLab Runner Core
• Application security testing
  • Security scanners now support MR pipelines : API Security , Container Scanning , DAST , Fuzz Testing , SAST , Secret Detection , Software Composition Analysis
• Software supply chain security
  • Limit maximum user session length (self-managed only) : System Access
  • Granular permissions for job tokens in beta : Permissions
• Monitor
  • Event data collection (self-managed only) : Application Instrumentation

Original source Report a problem

GitLab Patch Release: 18.4.1, 18.3.3, 18.2.7 for GitLab Community Edition (CE) and Enterprise Edition (EE)

Learn more about GitLab Patch Release: 18.4.1, 18.3.3, 18.2.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).

Today, we are releasing versions 18.4.1, 18.3.3, 18.2.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.

GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.

For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.

We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.

Recommended Action

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.

Security fixes

Table of security fixes

• Cross-site scripting issue impacts GitLab CE/EE (High severity)
• Denial of Service issue when uploading specifically crafted JSON files impacts GitLab CE/EE (High severity)
• Denial of Service issue bypassing query complexity limits impacts GitLab CE/EE (High severity)
• Information disclosure issue in virtual registery configuration for low privileged users impacts GitLab CE/EE (Medium severity)
• Privilege Escalation issue from within the Developer role impacts GitLab EE (Medium severity)
• Denial of Service issue in GraphQL API via Unbounded Array Parameters impacts GitLab CE/EE (Medium severity)
• Improper Authorization issue for Project Maintainers when assigning roles impacts GitLab EE (Low severity)
• Denial of Service issue in GraphQL API blobSearch impacts GitLab CE/EE (Low severity)
• Incorrect ownership assignment via Move Issue drop-down impacts GitLab CE/EE (Low severity)
• Denial of Service issue via string conversion methods impacts GitLab CE/EE (Low severity)

Details of key CVEs and fixes are provided, including impacted versions and CVSS scores.

PostgreSQL security updates: PostgreSQL has been updated to version 16.10 which contains fixes for security vulnerabilities including CVE-2025-8713, CVE-2025-8714 and CVE-2025-8715.

Bug fixes are listed for versions 18.4.1, 18.3.3, and 18.2.7 with various backports and fixes.

Important notes on upgrading:

These versions do not include any new migrations, and for multi-node deployments, should not require any downtime.
Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure file, which is only used for updates.

Updating:

To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page.

Receive Patch Notifications:

To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.

Original source Report a problem