On April 16, 2026, GitLab 18.11 was released with the following features.

In addition, we want to thank all of our contributors, including this month's notable contributor.

This month’s Notable Contributor: Rinku C#

We are excited to recognize Rinku C, a Level 4 contributor with over 80 merged improvements across GitLab since joining in September 2025.

Nominated by Arianna Haradon, Senior Fullstack Engineer on the Developer Relations team, this award celebrates his sustained and meaningful impact over time. Rinku has strengthened security-sensitive flows by requiring scopes on project and group access token creation forms, and improved everyday GitLab experience with numerous updates like next/previous navigation in job logs, excluding empty searches from recent, and reducing file tree clutter through thoughtful UI refinements that make common workflows clearer and easier to navigate. Rinku tackles the work that often goes unclaimed, keeping the codebase healthy and compounding to meaningful, lasting value. Thank you for your contributions!

Primary features

Vulnerability resolution generally available on GitLab Duo Agent Platform

Available in: Ultimate
Offerings: GitLab Self-Managed, GitLab.com, GitLab Dedicated
Links: Documentation Related issue

Agentic SAST Vulnerability Resolution is now generally available in GitLab 18.11 on the GitLab Duo Agent Platform. It runs as part of your SAST scan, after SAST false positive detection runs, or when manually triggered for individual SAST vulnerabilities.

Agentic SAST Vulnerability Resolution:

• Autonomously analyzes the finding and reasons through the surrounding code context.
• Automatically creates a ready-to-review merge request with proposed code fixes for critical and high severity SAST vulnerabilities.
• Provides quality assessments so reviewers can quickly gauge confidence in the proposed remediation.
• Allows you to apply resolutions directly from vulnerability details pages.

We welcome your feedback in issue 585626.

GitLab Data Analyst Foundational Agent now generally available

Available in: Free, Premium, Ultimate
Offerings: GitLab Self-Managed, GitLab.com, GitLab Dedicated
Links: Documentation Related epic

The Data Analyst Agent is a specialized AI chat assistant that helps you query, visualize, and surface data across the GitLab platform.

Backed by the GitLab Query Language (GLQL), the Data Analyst can retrieve and analyze data about each of the supported data sources, and provide clear, actionable insights about your software development health and engineering efficiency.

These insights can be visualized directly in the agent output and embedded directly into issues and epics for further evaluation.

CI Expert Agent launches in beta

Available in: Free, Premium, Ultimate
Offerings: GitLab Self-Managed, GitLab.com, GitLab Dedicated, GitLab Dedicated for Government
Links: Documentation Related issue

The AI-powered CI Expert Agent is now available in beta. This agent helps teams get from GitLab code to a first working pipeline without starting from a blank .gitlab-ci.yml.

Using GitLab Duo Agent Platform, the agent inspects your repository, asks a few guided questions about your build and test process, and generates a ready-to-run pipeline you can review, edit, and commit.

This turns pipeline creation into a conversational, context-aware experience, while still letting you take full control of the YAML after you’re ready to evolve and optimize your configuration.

Automated vulnerability severity overrides

Available in: Ultimate
Offerings: GitLab Self-Managed, GitLab.com, GitLab Dedicated, GitLab Dedicated for Government
Links: Documentation Related epic

Default vulnerability severities don’t always reflect your organization’s actual risk. A critical CVE in an internal-only service might not warrant the same urgency as one in a public-facing application, yet teams spend significant time triaging findings that don’t match their risk model.

Vulnerability management policies can now automatically adjust the severity of vulnerabilities based on conditions like CVE ID, CWE ID, file path, and directory. When applied, the policy updates the severity of any vulnerability that matches the criteria on the default branch. Manual overrides still take precedence, and all changes are logged in the vulnerability’s history and audit events.

This reduces triage work and ensures developers focus on the findings that matter most to your business.

Create Service Account in subgroups and projects

Available in: Free, Premium, Ultimate
Offerings: GitLab Self-Managed, GitLab.com, GitLab Dedicated, GitLab Dedicated for Government
Links: Documentation Related epic

Teams can now create service accounts in subgroups and projects. Instead of broad, top-level group bots, you can attach a dedicated service account to a single subgroup or project and manage its access like any other member of that namespace. Group and subgroup service accounts can be invited to the group where they were created or to any descendant subgroups and projects. Project service accounts are limited to their own project.

Service Accounts available on GitLab Free

Available in: Free, Premium, Ultimate
Offerings: GitLab Self-Managed, GitLab.com, GitLab Dedicated, GitLab Dedicated for Government
Links: Documentation Related epic

Service accounts are now available on GitLab.com in all tiers. Previously limited to Premium and Ultimate, service accounts let you perform automated actions, access data, or run scheduled processes without tying credentials to individual team members. They’re commonly used in pipelines and third-party integrations where credentials must stay stable regardless of team changes. On GitLab Free, you can create up to 100 service accounts per top-level group, including those created in subgroups or projects.

Fine-grained permissions for personal access tokens now available (Beta)

Available in: Free, Premium, Ultimate
Offerings: GitLab Self-Managed, GitLab.com, GitLab Dedicated, GitLab Dedicated for Government
Links: Documentation Related epic

Fine-grained personal access tokens (PATs) are now available in beta. Unlike legacy PATs, which grant access to every project and group you belong to, fine-grained PATs let you limit each token to specific resources and actions. This reduces the potential impact of a leaked or compromised token.

Your existing PATs continue to work as before, and you can still create legacy PATs without fine-grained permissions.

This beta release covers approximately 75% of the GitLab REST API. Full REST API coverage, GraphQL enforcement, and administrator policy controls are planned for the GA release.

To share feedback, see epic 18555.

Top CWE chart in security dashboards

Available in: Ultimate
Offerings: GitLab Self-Managed, GitLab.com, GitLab Dedicated, GitLab Dedicated for Government
Links: Documentation Related epic

The top CWE chart is now available on the new security dashboards. Identify the most common CWEs across your project or instance to identify opportunities for training, improvement, or program optimization. Users can group the dashboard data by severity and filter the dashboard by severity, project, and report type.

Deploy Gitaly on Kubernetes

Available in: Free, Premium, Ultimate
Offerings: GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government
Links: Documentation Related issue

You can now deploy Gitaly on Kubernetes as a fully supported deployment method. This gives you greater flexibility in managing your GitLab infrastructure by using Kubernetes orchestration capabilities for scaling, high availability, and resource management. Previously, Kubernetes deployments required custom configurations and weren’t officially supported, making it difficult to maintain reliable Gitaly clusters in containerized environments.

Reconfigure inputs when manually running MR pipelines

Available in: Free, Premium, Ultimate
Offerings: GitLab Self-Managed, GitLab.com, GitLab Dedicated, GitLab Dedicated for Government
Links: Documentation Related issue

A powerful aspect of CI/CD inputs is that you can manually run new pipelines with new values for runtime customization. This was not available in merge request (MR) pipelines before, but in this release you can now customize inputs in MR pipelines too.

After you configure inputs for MR pipelines, you can optionally modify those inputs and change the pipeline behavior any time you run a new pipeline for a merge request.

Agentic Core

Default model for GitLab Duo Agentic Chat updated from Haiku 4.5 to Sonnet 4.6

Available in: Premium, Ultimate
Offerings: GitLab Self-Managed, GitLab.com, GitLab Dedicated
Links: Documentation Related issue

We’ve made an update to improve your Agentic Chat experience in GitLab. The default model for Agentic Chat was upgraded from Claude Haiku 4.5 to Claude Sonnet 4.6, hosted on Vertex AI. Claude Sonnet 4.6 offers improved reasoning and response quality but uses a higher GitLab Credit multiplier than Haiku 4.5.

You can select an alternative model, including Haiku, using the model selection setting. If you’ve already selected a specific model, your choice is preserved. This update only affects the default and will not override any existing selections. For information about credit multipliers by model, see the GitLab Credits documentation.

Configure tools in custom flow definitions

Available in: Free, Premium, Ultimate
Offerings: GitLab Self-Managed, GitLab.com, GitLab Dedicated, GitLab Dedicated for Government
Links: Documentation Related issue

You can now configure tool options and parameter values directly in your custom flow definitions to supersede the LLM default values. This gives you more precise, consistent control over how tools behave within a custom flow, making it easier to enforce guardrails and specific parameter values across that flow.

Mistral AI now supported as a self-hosted model in GitLab Duo Agent Platform

Available in: Premium, Ultimate
Offerings: GitLab Self-Managed
Links: Documentation Related issue

GitLab Duo Agent Platform now supports Mistral AI as an LLM platform for self-hosted model deployments. GitLab Self-Managed customers can configure Mistral AI alongside existing supported platforms, including AWS Bedrock, Google Vertex AI, Azure OpenAI, Anthropic, and OpenAI. This gives teams more choice in how they run AI-powered features.

Scale and Deployments

View historical months in GitLab Credits dashboard

Available in: Premium, Ultimate
Offerings: GitLab Self-Managed, GitLab.com, GitLab Dedicated, GitLab Dedicated for Government
Links: Documentation Related issue

The GitLab Credits dashboard in Customers Portal now supports historical month navigation. Billing managers can browse past billing months to review daily usage trends, compare consumption patterns across periods, and reconcile usage with invoices. Previously, the dashboard only displayed the current billing month. With this improvement, administrators can make more informed decisions about credit allocation and forecast future needs based on historical data.

Set subscription-level usage cap for GitLab Credits

Available in: Premium, Ultimate
Offerings: GitLab Self-Managed, GitLab.com, GitLab Dedicated, GitLab Dedicated for Government
Links: Documentation

Administrators can now set a monthly usage cap for On-Demand Credits at the subscription level. When total on-demand credit consumption reaches the configured cap, GitLab Duo Agent Platform access is automatically suspended for all users on that subscription until the next billing period begins or the admin adjusts the cap. This setting gives organizations a hard guardrail against unexpected overage bills, removing a key barrier to broader Agent Platform rollout. Caps reset automatically each billing period, and administrators receive an email notification when the cap is reached.

Set per-user GitLab Credits cap

Available in: Premium, Ultimate
Offerings: GitLab Self-Managed, GitLab.com, GitLab Dedicated, GitLab Dedicated for Government
Links: Documentation

Administrators can now set an optional per-user usage cap for GitLab Credits per billing period. When an individual user’s total credit consumption reaches the configured limit, GitLab Duo Agent Platform access is suspended only for that user, while other users continue unaffected. This prevents any single user from consuming a disproportionate share of the organization’s credit pool, and gives administrators fine-grained control over usage distribution. Per-user usage caps work alongside subscription-level usage caps, by applying the cap that is reached first.

Linux package improvements

Available in: Free, Premium, Ultimate
Offerings: GitLab Self-Managed
Links: Documentation Related issue

In GitLab 19.0, the minimum-supported version of PostgreSQL will be version 17. To prepare for this change, on instances that don’t use PostgreSQL Cluster, upgrades to GitLab 18.11 will attempt to automatically upgrade PostgreSQL to version 17.

If you use PostgreSQL Cluster or opt out of this automated upgrade, you must manually upgrade to PostgreSQL 17 to be able to upgrade to GitLab 19.0.

Backup and Restore Support for Container Registry Metadata Database

Available in: Free, Premium, Ultimate
Offerings: GitLab Self-Managed
Links: Documentation Related issue

The GitLab backup Rake task for Linux package installations and the backup-utility for Cloud Native (Helm) installations now support the container registry metadata database. You can now back up references to blobs, manifests, tags, and other data stored in the metadata database, enabling recovery in the event of malicious or accidental data corruption.

New navigation experience for groups in Explore

Available in: Free, Premium, Ultimate
Offerings: GitLab Self-Managed, GitLab.com, GitLab Dedicated, GitLab Dedicated for Government
Links: Documentation Related epic

We’re excited to announce improvements to the groups list in Explore, making it easier to discover groups across your GitLab instance. The redesigned interface introduces a tabbed layout with two views:

• Active tab: Browse all accessible groups, helping you discover relevant communities and projects.
• Inactive tab: View archived groups and groups pending deletion for visibility into group lifecycle status.

These changes streamline group discovery and provide clearer visibility into which groups are available to join.

Asynchronous transfer of projects

Available in: Free, Premium, Ultimate
Offerings: GitLab Self-Managed, GitLab.com, GitLab Dedicated, GitLab Dedicated for Government
Links: Documentation Related epic

In previous versions of GitLab, transfers of large groups and projects could timeout. As we move groups and projects to use a unified state model for operations such as transfer, archive, and deletion, you get more consistent behavior, better visibility into state history and audit details, and fewer timeouts, specifically, for long running transfer operations through asynchronous processing.

Unified DevOps and Security

ClickHouse is generally available for Self-Managed deployments

Available in: Free, Premium, Ultimate
Offerings: GitLab Self-Managed, GitLab.com, GitLab Dedicated
Links: Documentation Related issue

For GitLab Self-Managed instances, we now have improved recommendations and configuration guidance for the GitLab ClickHouse integration. Customers have options to bring their own cluster, or use the ClickHouse Cloud (recommended) setup option. This integration powers multiple dashboards and unlocks access to various API endpoints within the analytics space.

This scalable, high-performance database is part of the larger architectural improvements planned for the GitLab analytics infrastructure.

Enhanced GitLab Duo Agent Platform analytics on Duo and SDLC trends dashboard

Available in: Premium, Ultimate
Offerings: GitLab Self-Managed, GitLab.com, GitLab Dedicated
Add-ons: Duo Pro, Duo Enterprise
Links: Documentation Related epic

The GitLab Duo and SDLC trends dashboard delivers improved analytics capabilities to measure the impact of GitLab Duo on software delivery. The dashboard now includes new single stat panels for monthly Agent Platform unique users and Agentic Chat sessions. Additionally, metrics previously displayed as a % usage compared to seat assignments have been updated to strictly report usage counts. This change resolves the issue where counts were missing Agent Platform usage controlled under the new usage billing model.

GLQL now has access to projects, pipelines, and jobs data sources

Available in: Free, Premium, Ultimate
Offerings: GitLab Self-Managed, GitLab.com, GitLab Dedicated
Links: Documentation

The GitLab Query Language (GLQL) now has access to three new data sources: projects, pipelines, and jobs. These new data sources are also available as embedded views, letting teams surface pipeline results, job statuses, and project overviews directly in wikis, issue and merge request descriptions, and repository Markdown files. GLQL also powers the Data Analyst Agent. With these new types, the agent can inspect CI/CD job results, debug failures, and provide detailed overviews of pipeline execution, as well as provide an accurate overview of projects in a namespace.

Dependency resolution for Maven and Python SBOM scanning

Available in: Ultimate
Offerings: GitLab Self-Managed, GitLab.com, GitLab Dedicated, GitLab Dedicated for Government
Links: Documentation Related epic

GitLab dependency scanning using SBOM now supports generating a dependency graph automatically for Maven and Python projects. Previously, dependency scanning required users to provide a lock file or a graph file to get an accurate dependency analysis. Now, when a lock file or graph file is not available, the analyzer automatically attempts to generate one. This improvement makes it easier for Maven and Python projects to enable dependency scanning without requiring a lock file.

Incremental scanning for Advanced SAST

Available in: Ultimate
Offerings: GitLab Self-Managed, GitLab.com, GitLab Dedicated, GitLab Dedicated for Government
Links: Documentation Related epic

You can now perform incremental scans that analyze only changed parts of the codebase with GitLab Advanced SAST, significantly reducing scan times compared to full repository scans. This feature is a further iteration of diff-based scanning, because it produces full results for codebases.

By scanning just the code that has changed rather than the entire codebase, your teams can integrate security testing more seamlessly into their development workflow without sacrificing speed or adding friction.

Unverified vulnerabilities (Beta)

Available in: Ultimate
Offerings: GitLab Self-Managed, GitLab.com, GitLab Dedicated, GitLab Dedicated for Government
Links: Documentation Related epic

Advanced SAST can now surface unverified vulnerabilities (findings that cannot be fully traced from source to sink) directly in the vulnerability report. Enable this feature if you have a higher tolerance for false positives over false negatives.

This feature is in beta status. Provide feedback in issue 596512.

Kubernetes 1.35 support

Available in: Free, Premium, Ultimate
Offerings: GitLab Self-Managed, GitLab.com, GitLab Dedicated, GitLab Dedicated for Government
Links: Documentation Related issue

GitLab now fully supports Kubernetes version 1.35. If you want to deploy your applications to Kubernetes and access all features, upgrade your connected clusters to the most recent version. For more information, see supported Kubernetes versions for GitLab features.

Prefer mode for the container registry metadata database

Available in: Free, Premium, Ultimate
Offerings: GitLab Self-Managed
Links: Documentation Related issue

You can now set the container registry metadata database to prefer mode, a new configuration option alongside the existing true and false values. In prefer mode, the registry automatically detects whether it should use the metadata database or fall back to legacy storage based on the current state of your installation.

If your registry has existing filesystem metadata that has not been imported to the database, the registry continues to use legacy storage until you complete a metadata import. If the database is already in use, or on a fresh installation, the registry uses the database directly.

In a later release, prefer mode will become the default for new Linux package installations. Existing installations will not be affected. For more information, see issue 595480.

Package protection rules now support Terraform modules

Available in: Free, Premium, Ultimate
Offerings: GitLab Self-Managed, GitLab.com, GitLab Dedicated, GitLab Dedicated for Government
Links: Documentation Related issue

Teams publishing Terraform modules through the built-in GitLab Terraform module registry had no way to restrict who could push new module versions. Package protection rules supported several package formats but did not include terraform_module, leaving infrastructure teams without a project-level push control.

You can now create package protection rules scoped to terraform_module, restricting push access based on minimum role. Support is available in the UI package type dropdown, the REST API, the GraphQL API, and the GitLab Terraform provider resource.

Release evidence now includes packages

Available in: Free, Premium, Ultimate
Offerings: GitLab Self-Managed, GitLab.com, GitLab Dedicated, GitLab Dedicated for Government
Links: Documentation Related issue

When creating a GitLab Release, packages published to the package registry were not automatically associated with it. Teams had to manually construct package URLs and attach them as release links through the API or pipeline scripts, adding friction and risk of incomplete release records.

GitLab now automatically includes packages in release evidence when the package version matches the release tag. This creates a verifiable, auditable link between your release and its associated packages without any manual steps, keeping source code, artifacts, and packages together in one complete release snapshot.

Wiki sidebar toggle repositioned for easier access

Available in: Free, Premium, Ultimate
Offerings: GitLab Self-Managed, GitLab.com, GitLab Dedicated, GitLab Dedicated for Government
Links: Documentation Related issue

The wiki sidebar toggle is now positioned on the left side, directly next to the sidebar it controls.

When the sidebar is collapsed, the toggle remains visible as a floating control so you can reopen it without scrolling back to the top of the page.

Sticky action bar on wiki pages

Available in: Free, Premium, Ultimate
Offerings: GitLab Self-Managed, GitLab.com, GitLab Dedicated, GitLab Dedicated for Government
Links: Documentation Related issue

The action bar on wiki pages is now sticky, so it remains visible as you scroll through a page. Previously, you had to scroll back to the top to access actions like editing, viewing page history, or managing templates. Now the page title and key actions, including Edit, New page, Templates, Page history, and more, stay within reach no matter how far down the page you are.

Epic weights

Available in: Premium, Ultimate
Offerings: GitLab Self-Managed, GitLab.com, GitLab Dedicated, GitLab Dedicated for Government
Links: Documentation Related epic

Epics now support weights, making it easier to estimate and prioritize large-scale initiatives during planning.

Before breaking down an epic into child issues, you can assign a preliminary weight to represent your initial estimate. As you decompose the epic, the weight automatically updates to reflect the rolled-up total from all child issues. This is consistent with how weight rollup works for issues and tasks.

On the epic detail page, you can see both the preliminary weight and the rolled-up weight from child issues, giving you the insight needed to refine estimates over time.

Block merge requests with high exploitability risk

Available in: Ultimate
Offerings: GitLab Self-Managed, GitLab.com, GitLab Dedicated, GitLab Dedicated for Government
Links: Documentation Related epic

Previously, merge request (MR) approval policies could block MRs based on vulnerability severity, but not all vulnerabilities carry the same risk. CVSS severity alone doesn’t tell you whether a CVE is being exploited or how likely exploitation is. This leads to noisy approval policies and wasted time for developers and security teams.

You can now configure MR approval policies using Known Exploited Vulnerability (KEV) and Exploit Prediction Scoring System (EPSS) data. Block or require approval when a finding is in the KEV catalog (actively exploited in the wild), or when its EPSS score is above a threshold. Policy violations in the MR include KEV and EPSS context so developers understand why the security gate was triggered.

This gives security teams precise control over which findings block or warn, reduces alert fatigue, and keeps enforcement aligned with the current threat landscape.

Assign CVSS 4.0 scores to vulnerabilities

Available in: Ultimate
Offerings: GitLab Self-Managed, GitLab.com, GitLab Dedicated, GitLab Dedicated for Government
Links: Documentation Related epic

CVSS 4.0 is the latest version of the industry standard used to assess and rate the severity of a vulnerability. You can now view and access CVSS 4.0 score in the UI, including the vulnerability details page and the vulnerability report. You can also query the score using the API.

Improved row interaction in the vulnerability report

Available in: Ultimate
Offerings: GitLab Self-Managed, GitLab.com, GitLab Dedicated, GitLab Dedicated for Government
Links: Documentation Related issue

Previously, you had to select the row description to navigate to a vulnerability details page from the vulnerability report.

You can now select anywhere in the row to go directly to its details. Link styling for the vulnerability description and file location only appears when you hover over each link, and keyboard navigation has been improved.

These changes make the vulnerability report more intuitive and accessible.

Export a security dashboard as a PDF

Available in: Ultimate
Offerings: GitLab Self-Managed, GitLab.com, GitLab Dedicated, GitLab Dedicated for Government
Links: Documentation Related epic

You can export the security dashboard as a PDF for use in reports and presentations. The export captures the current state of all of the charts and panels in the dashboard, including any active filters.

SAST scanning in security configuration profiles

Available in: Ultimate
Offerings: GitLab Self-Managed, GitLab.com, GitLab Dedicated, GitLab Dedicated for Government
Links: Documentation Related epic

In GitLab 18.9, we introduced security configuration profiles with the Secret Detection - Default profile. In GitLab 18.11, profiles now extend to SAST with the Static Application Security Testing (SAST) - Default profile, giving you a unified control surface to apply standardized static analysis coverage across all your projects without touching a single CI/CD configuration file.

The profile activates two scan triggers:

• Merge Request Pipelines: Automatically runs a SAST scan each time new commits are pushed to a branch with an open merge request. Results only include new vulnerabilities introduced by the merge request.
• Branch Pipelines (default only): Runs automatically when changes are merged or pushed to the default branch, providing a complete view of your default branch’s SAST posture.

Security attribute filters in group security dashboards

Available in: Ultimate
Offerings: GitLab Self-Managed, GitLab.com, GitLab Dedicated, GitLab Dedicated for Government
Links: Documentation Related epic

You can now filter the results in a group security dashboard based on the security attributes that you have applied to the projects in that group.

The available security attributes include the following:

• Business impact
• Application
• Business unit
• Internet exposure
• Location

Security Manager role (Beta)

Available in: Free, Premium, Ultimate
Offerings: GitLab Self-Managed, GitLab.com, GitLab Dedicated, GitLab Dedicated for Government
Links: Documentation

The Security Manager role is now available as a beta feature, providing a new default set of permissions designed specifically for security professionals. Security teams no longer need Developer or Maintainer roles to access security features, eliminating over-privileging concerns while maintaining separation of duties.

Users with the Security Manager role have the following access:

• Vulnerability management: View, triage, and manage vulnerabilities across groups and projects, including vulnerability reports and security dashboards.
• Security inventory: View a group’s security inventory to understand scanner coverage across all projects.
• Security configuration profiles: View security configuration profiles for a group.
• Compliance tools: View audit events, compliance center, compliance frameworks, and dependency lists for a group or project.
• Secret push protection: Enable secret push protection for a group.
• On-demand DAST: Create and run on-demand DAST scans for a group.

To get started, go to a group and select Manage > Members to invite and assign members to the Security Manager role.

Identifier list popover in the vulnerability report

Available in: Ultimate
Offerings: GitLab Self-Managed, GitLab.com, GitLab Dedicated, GitLab Dedicated for Government
Links: Documentation Related issue

The vulnerability report now shows the primary CVE identifier as a clickable link in each row. When multiple identifiers exist, a +N more popover lists all of the identifiers. Each identifier in the list links to its external reference (for example, in the CVE, CWE, or WASC databases) so you can quickly access more details without leaving the report.

GitLab Runner 18.11

Available in: Free, Premium, Ultimate
Offerings: GitLab Self-Managed, GitLab.com, GitLab Dedicated, GitLab Dedicated for Government
Links: Documentation

We’re also releasing GitLab Runner 18.11 today! GitLab Runner is the highly-scalable build agent that runs your CI/CD jobs and sends the results back to a GitLab instance. GitLab Runner works in conjunction with GitLab CI/CD, the open-source continuous integration service included with GitLab.

What’s New:

• Create concrete helper image with bundled dependencies
• Read the job router feature flag from the runner configuration instead of an environment variable

Bug Fixes:

• Incorrect runner binary path after refactoring
• Pipeline hangs on cache operations
• The docker-machine binary in GitLab Runner 18.9.0 references CVE-2025-68121
• Runner silently falls back to job payload credentials when credential helper binary is missing from DOCKER_AUTH_CONFIG
• CONCURRENT_PROJECT_ID not unique in different jobs, which causes a conflict in the builds directory
• Artifact upload fails with timeout awaiting response headers
• User-defined after_script executes after failed pre_build_script and bypasses post_build_script

The list of all changes is in the GitLab Runner CHANGELOG.

Related topics

Original source

Milestone

84% complete

18.11

Issues

2352

Open:
381

•
Closed:
1971

Assets 5

Source code (zip) Download

Source code (tar.gz) Download

Source code (tar.bz2) Download

Source code (tar) Download

Other

GitLab 18.11 release post

Release notes

42 new features

4062 total badges

Ultimate

13 new features

737 total badges

Application security testing

Dependency resolution for Maven and Python SBOM scanning : Software Composition Analysis

Incremental scanning for Advanced SAST : SAST

Unverified vulnerabilities (Beta) : SAST

Software supply chain security

Vulnerability resolution generally available on GitLab Duo Agent Platform : Vulnerability Management

Security risk management

Automated vulnerability severity overrides : Security Policy Management

Top CWE chart in security dashboards

Block merge requests with high exploitability risk : Security Policy Management

Assign CVSS 4.0 scores to vulnerabilities : Vulnerability Management

Improved row interaction in the vulnerability report : Vulnerability Management

Export a security dashboard as a PDF : Vulnerability Management

SAST scanning in security configuration profiles : Security Testing Configuration

Security attribute filters in group security dashboards : Vulnerability Management

Identifier list popover in the vulnerability report : Vulnerability Management

Premium

Default model for GitLab Duo Agentic Chat updated from Haiku 4.5 to Sonnet 4.6 : Duo Agent Platform

Mistral AI now supported as a self-hosted model in GitLab Duo Agent Platform (self-managed only) : Self-Hosted Models

Enhanced GitLab Duo Agent Platform analytics on Duo and SDLC trends dashboard : DevOps Reports

View historical months in GitLab Credits dashboard : Consumables Cost Management

Set subscription-level usage cap for GitLab Credits : Consumables Cost Management

Set per-user GitLab Credits cap : Consumables Cost Management

Plan

Epic weights : Portfolio Management

Core

GitLab Data Analyst Foundational Agent now generally available : Custom Dashboards Foundation

Deploy Gitaly on Kubernetes (self-managed only) : Gitaly

Configure tools in custom flow definitions : Duo Agent Platform

ClickHouse is generally available for Self-Managed deployments : DevOps Reports

GLQL now has access to projects, pipelines, and jobs data sources : Custom Dashboards Foundation

Kubernetes 1.35 support : Deployment Management

Linux package improvements (self-managed only) : Omnibus Package

Backup and Restore Support for Container Registry Metadata Database (self-managed only) : Backup/Restore of GitLab instances

New navigation experience for groups in Explore : Groups & Projects

Asynchronous transfer of projects : Groups & Projects

Plan

Wiki sidebar toggle repositioned for easier access : Wiki

Sticky action bar on wiki pages : Wiki

Verify

CI Expert Agent launches in beta : Pipeline Composition

Reconfigure inputs when manually running MR pipelines : Pipeline Composition

GitLab Runner 18.11 : GitLab Runner Core

Package

Prefer mode for the container registry metadata database (self-managed only) : Container Registry

Package protection rules now support Terraform modules : Package Registry

Release evidence now includes packages : Package Registry , Release Evidence

Software supply chain security

Create Service Account in subgroups and projects : System Access

Service Accounts available on GitLab Free : System Access

Fine-grained permissions for personal access tokens now available (Beta) : Permissions

Security risk management

Security Manager role (Beta) : Permissions

Original source

Learn more about GitLab Patch Release: 18.10.3, 18.9.5, 18.8.9 for GitLab Community Edition (CE) and Enterprise Edition (EE).

Today, we are releasing versions 18.10.3, 18.9.5, 18.8.9 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.

Recommended Action

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.

Security fixes

Table of security fixes

Title
Severity
Exposed Method issue in websocket connections impacts GitLab CE/EE
High
Denial of Service issue in Terraform state lock API impacts GitLab CE/EE
High
Denial of Service issue in GraphQL API impacts GitLab CE/EE
High
Denial of Service issue in CSV import impacts GitLab CE/EE
Medium
Denial of Service issue in GraphQL SBOM API impacts GitLab EE
Medium
Code Injection issue in Code Quality reports impacts GitLab EE
Medium
Cross-site Scripting issue in analytics dashboards impacts GitLab EE
Medium
Incorrect Authorization issue in vulnerability flags AI detection API impacts GitLab EE
Medium
Information disclosure issue in certain GraphQl query impacts GitLab EE
Medium
Improper Access Control issue in Environments API impacts GitLab EE
Medium
Information disclosure issue in CSV export impacts GitLab CE/EE
Medium
Missing Authorization issue in custom role permissions impacts GitLab CE/EE
Low

CVE-2026-5173 - Exposed Method issue in websocket connections impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an authenticated user to invoke unintended server-side methods through websocket connections due to improper access control.

Impacted Versions: GitLab CE/EE: all versions from 16.9.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3
CVSS 8.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N)
This vulnerability has been discovered internally by GitLab team member Simon Tomlinson

CVE-2026-1092 - Denial of Service issue in Terraform state lock API impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an unauthenticated user to cause denial of service due to improper input validation of JSON payloads.

Impacted Versions: GitLab CE/EE: all versions from 12.10 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program

CVE-2025-12664 - Denial of Service issue in GraphQL API impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an unauthenticated user to cause denial of service by sending repeated GraphQL queries.

Impacted Versions: GitLab CE/EE: all versions from 13.0 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Thanks foxribeye for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-1403 - Denial of Service issue in CSV import impacts GitLab CE/EE

GitLab has remediated an issue that when importing CSV files could have allowed an authenticated user to cause denial of service to Sidekiq workers due to improper validation of CSV file structure.

Impacted Versions: GitLab CE/EE: all versions from 11.7 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-1101 - Denial of Service issue in GraphQL SBOM API impacts GitLab EE

GitLab has remediated an issue that could have allowed an authenticated user to cause denial of service to the GitLab instance due to improper input validation in GraphQL queries.

Impacted Versions: GitLab EE: all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Thanks sim4n6 for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-1516 - Code Injection issue in Code Quality reports impacts GitLab EE

GitLab has remediated an issue that in Code Quality reports could have allowed an authenticated user to leak IP addresses of users viewing the report via specially crafted content.

Impacted Versions: GitLab EE: all versions from 18.0.0 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3
CVSS 5.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N)
Thanks maksyche for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-4332 - Cross-site Scripting issue in analytics dashboards impacts GitLab EE

GitLab has remediated an issue that, in customizable analytics dashboards, could have allowed an authenticated user to execute arbitrary JavaScript in the context of other users' browsers due to improper input sanitization.

Impacted Versions: GitLab EE: all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3
CVSS 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Thanks go7f0 for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-2619 - Incorrect Authorization issue in vulnerability flags AI detection API impacts GitLab EE

GitLab has remediated an issue that under certain circumstances could have allowed an authenticated user with auditor privileges to modify vulnerability flag data in private projects due to incorrect authorization.

Impacted Versions: GitLab EE: all versions from 18.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
Thanks sage_cyberlord for reporting this vulnerability through our HackerOne bug bounty program

CVE-2025-9484 - Information Disclosure issue in certain GraphQl query impacts GitLab EE

GitLab has remediated an issue that under certain circumstances could have allowed an authenticated user to have access to other users' email addresses via certain GraphQL queries.

Impacted Versions: GitLab EE: all versions from 16.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Thanks mateuszek for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-1752 - Improper Access Control issue in Environments API impacts GitLab EE

GitLab has remediated an issue that could have allowed an authenticated user with developer-role permissions to modify protected environment settings due to improper authorization checks in the API.

Impacted Versions: GitLab EE: all versions from 11.3 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
Thanks modhanami for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-2104 - Information Disclosure issue in CSV export impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an authenticated user to access confidential issues assigned to other users via CSV export due to insufficient authorization checks.

Impacted Versions: GitLab CE/EE: all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Thanks ahacker1 for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-4916 - Missing Authorization issue in custom role permissions impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an authenticated user with custom role permissions to demote or remove higher-privileged group members due to improper authorization checks on member management operations.

Impacted Versions: GitLab CE/EE: all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3
CVSS 2.7 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N)
Thanks theluci for reporting this vulnerability through our HackerOne bug bounty program

Bug fixes

18.10.3

• [18.10] Revert "Merge branch 'segregate-buildx-build-among-rails-ce-and-ee' into 'master'"
• chore: bump gitlab-zoekt to v1.11.1 on 18-10-stable
• Backport of Validate parallel:matrix expanded job name length
• Fix flaky spec in spec/requests/api/merge_requests_spec.rb
• Backport of Fix remaining failures in new_project_spec.rb after !228726
• Backport of 'Fixes gitlab-rspec test failures on stable branches'
• Backport of 'Upgrade http and llhttp-ffi'
• Backport '595107/fix-model-selection-ui-regression' into 18.10
• [18.10] Remove me-south-1 region from AMI publishing list
• Backport 18.10: Do not include Spamcheck with the SLES12 package
• Backport 18-10: Set strategy:mirror to propagate downstream failure on check-packages-functionality trigger job

18.9.5

• [18.9] Fix composite identity support for dependency proxy access
• Fix flaky spec in spec/requests/api/merge_requests_spec.rb
• Backport of Fix remaining failures in new_project_spec.rb after !228726
• Backport '595107/fix-model-selection-ui-regression' into 18.9
• [18.9] Remove me-south-1 region from AMI publishing list
• Backport 18.9: Do not include Spamcheck with the SLES12 package
• Backport 18-9: Set strategy:mirror to propagate downstream failure on check-packages-functionality trigger job

18.8.9

• Backport of Fix remaining failures in new_project_spec.rb after !228726
• Backport '595107/fix-model-selection-ui-regression' into 18.8
• [18.8] Remove me-south-1 region from AMI publishing list
• Backport 18-8: Set strategy:mirror to propagate downstream failure on check-packages-functionality trigger job

Important notes on upgrading

These versions do not include any new migrations, and for multi-node deployments, should not require any downtime.
Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure file, which is only used for updates.
The SLES 12.5 packages for 18.10.3 and 18.9.5 are not present in this release.

Updating

To update GitLab, see the Update page. To update GitLab Runner, see the Updating the Runner page.
Note: GitLab releases have skipped 18.10.2, 18.9.4 and 18.8.8. There are no patches with these version numbers.

Receive Patch Notifications

To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.

Original source

Learn more about GitLab Patch Release: 18.10.1, 18.9.3, 18.8.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).

Today, we are releasing versions 18.10.1, 18.9.3, 18.8.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.

Recommended Action

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.

Security fixes

Table of security fixes

Title - Severity

Improper Handling of Parameters issue in Jira Connect installations impacts GitLab CE/EE - High
Cross-Site Request Forgery issue in GLQL API impacts GitLab CE/EE - High
HTML Injection in vulnerability report impacts GitLab EE - High
Denial of Service issue in GraphQL API impacts GitLab CE/EE - High
Improper Access Control issue in WebAuthn 2FA impacts GitLab CE/EE - Medium
Improper Access Control issue in GraphQL query impacts GitLab EE - Medium
Denial of Service issue in CI configuration processing impacts GitLab CE/EE - Medium
Denial of Service issue in webhook configuration impacts GitLab CE/EE - Medium
Cross-site Scripting issue in Mermaid diagram renderer impacts GitLab CE/EE - Medium
Improper Access Control issue in Merge Requests impacts GitLab CE/EE - Medium
Access Control issue in GraphQL API impacts GitLab EE - Medium
Incorrect Authorization issue in authorization caching impacts GitLab EE - Low

Details of key CVEs and fixes are provided, including impacted versions and CVSS scores.

Bug fixes

18.10.1

• Backport gocloud version and checksum fix to 18-10 stable
• [18.10] Zero downtime reindexing make setting async-durability optional
• Backport "CI: Update CNG mirror skip job regex"
• Backport of 'Revert Code review flow automatic reviews enabled by default for groups'
• Backport Handle http-abort panic and pass http execution error
• Backport 18.10: Do not check column default in state machine initialization
• Backport of What's new - 18.10
• [18.10 Backport] Fix statement timeouts on p_ci_job_artifacts during pipeline deletion
• Backport of "Execute BBM affected by single record table bug"
• Fix regression: "Git operations for Deploy keys fail on a Geo Site"

18.9.3

• Backport gocloud version and checksum fix to 18-9 stable
• [Backport 18.9] Fix gitlab:setup failure on fresh database
• [18.9] Update dependency oj to v3.16.15
• Backport of 'Use v-safe-html for commit.titleHtml in collapsible commit info'
• 18.9 Backport of 'Fix re-archiving projects and subgroups after group unarchive'
• Backport of 'Fix edit in pipeline editor button not showing on ci file on file navigation'
• [18.9] GLQL advanced finder, remove project_ids
• Backport of 'Update rack gem to 2.2.22'
• Backport oj and oj-introspect gem updates
• [18.9] Exclude group-covered projects from search authorization to reduce redundant payload
• Backport "CI: Update CNG mirror skip job regex"
• [18.9] Zero downtime reindexing make setting async-durability optional
• Backport 18.9: Do not check column default in state machine initialization
• Backport of "Execute BBM affected by single record table bug"
• [18.9 Backport] Fix statement timeouts on p_ci_job_artifacts during pipeline deletion
• Fix regression: "Git operations for Deploy keys fail on a Geo Site"
• Backport: Fix Valkey version detection
• 18.9 Backport CI: Fix the package install for zypper based distros
• [18.9] Backport Mattermost Security Updates February 23, 2026
• Backport 18-9-stable - check-packages uses Pulp

18.8.7

• Fix command execution race condition in Agentic Chat
• Backport of 'fix: allow explain for all add ons'
• [18.8] Update dependency oj to v3.16.15
• 18.8 Backport of 'Fix re-archiving projects and subgroups after group unarchive'
• Add DAP self-hosted model DAP check in user_authorizable
• Backport of 'Fix edit in pipeline editor button not showing on ci file on file navigation'
• [18.8] GLQL advanced finder, remove project_ids
• Backport oj and oj-introspect gem updates
• Backport of 'Update rack gem to 2.2.22'
• Backport "CI: Update CNG mirror skip job regex"
• [18.8] Exclude group-covered projects from search authorization to reduce redundant payload
• [18.8] Zero downtime reindexing make setting async-durability optional
• Backport of "Execute BBM affected by single record table bug"
• [18.8 Backport] Fix statement timeouts on p_ci_job_artifacts during pipeline deletion
• Fix regression: "Git operations for Deploy keys fail on a Geo Site"
• 18.8 Backport CI: Fix the package install for zypper based distros
• [18.8] Backport Mattermost Security Updates February 23, 2026
• Backport 18-8-stable - check-packages uses Pulp

Important notes on upgrading

This patch includes database migrations that may impact your upgrade process.

Impact on your installation:

• Single-node instances: This patch will cause downtime during the upgrade as migrations must complete before GitLab can start.
• Multi-node instances: With proper zero-downtime upgrade procedures, this patch can be applied without downtime.

Post-deploy migrations

The following versions include post-deploy migrations that can run after the upgrade:

• 18.10.1
• 18.9.3
• 18.8.7

To learn more about the impact of upgrades on your installation, see:

• Zero-downtime upgrades for multi-node deployments
• Standard upgrades for single-node installations

Updating

To update GitLab, see the Update page. To update GitLab Runner, see the Updating the Runner page.

Receive Patch Notifications

To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.

Original source

Milestone

18.10

Issues

2275

Open:
175

Closed:
2100

Assets 5

Source code (zip) Download

Source code (tar.gz) Download

Source code (tar.bz2) Download

Source code (tar) Download

Other

GitLab 18.10 release post

Release notes

30 new features

4020 total badges

Ultimate

7 new features

724 total badges

Verify

Runner controllers for job admission control (self-managed only) : GitLab Runner Core

Application security testing

Dependency Scanning with SBOM support for Java Gradle build files : Software Composition Analysis

Dependency scanning SBOM-based scanning extended to self-managed : Software Composition Analysis

License scanning support for Dart/Flutter projects using Pub package manager : Software Composition Analysis

Software supply chain security

SAST false positive detection with GitLab Duo Agent Platform : Vulnerability Management

Secret false positive detection with AI (beta) : Vulnerability Management , Secret Detection

Security risk management

Pipeline secret detection in security configuration profiles : Vulnerability Management

Premium

13 new features

816 total badges

Custom agents can use MCP to access external data : AI Catalog

GitLab MCP server tool for pipeline management : MCP Server

Project Maintainers can enable custom agents and flows : AI Catalog

Configure network access control for remote flows in projects : Duo Agent Platform

Self-hosted Vertex AI for GitLab Duo Agent Platform (self-managed only) : Self-Hosted Models

Users can enable agents and flows directly from projects : AI Catalog

Support for Agent Skills in IDEs and CI/CD pipelines : Duo Agent Platform

Download credit usage data as CSV : Consumables Cost Management

Link credit usage to GitLab Duo Agent Platform sessions : Consumables Cost Management

Sort users in the GitLab Credits dashboard : Consumables Cost Management

Create

Enforce merge request title naming conventions with regex : Code Review Workflow

Verify

macOS Tahoe 26 and Xcode 26 job image : GitLab Hosted Runners

Package

Manage container virtual registries with a dedicated UI (Beta) : Virtual Registry

Core

10 new features

2480 total badges

Purchase GitLab Credits on the Free tier on GitLab.com : Subscription Management

GitLab Blob Search for group and instance code search : Duo Agent Platform

New navigation experience for projects in Explore : Groups & Projects

Plan

Introducing the work items list and saved views : Portfolio Management

Task item support in Markdown tables : Markdown

Verify

Use runtime inputs with CI/CD jobs : Pipeline Composition

GitLab Runner 18.10 : GitLab Runner Core

Package

Conan 2.0 package registry support (Beta) : Package Registry

GitLab Helm Chart registry generally available : Package Registry

Software supply chain security

Sign in securely with passkeys : System Access

Original source

Today, we are excited to announce the release of GitLab 18.10 with SAST false positive detection with GitLab Duo Agent Platform, credits for free tier users, passwordless sign-in with passkeys, work items list and saved views, and much more!

These are just a few highlights from the 60+ improvements in this release. Read on to check out all of the great updates below.

To the wider GitLab community, thank you for the 212 contributions you provided to GitLab 18.10! At GitLab, everyone can contribute and we couldn't have done it without you!

To preview what's coming in next month’s release, check out our What's new page.

Notable Contributor

This month's Notable Contributor is awarded to Harshith Sudar

Harshith is currently a Level 3 Contributor who has made impactful contributions improving community tooling and analytics, from triage automation and contributor recognition to GitLab Duo usage insights.

Harshith’s contributions were first recognized by Lee Tickett, Fullstack Engineer in DevRel Engineering at GitLab, who nominated him. His work has strengthened how we support contributors behind the scenes through improvements to our automation and contributor-facing experiences. For example, he expanded our triage automation by updating the IssueSummary processor in triage-ops to work with multiple projects, including contributors.gitlab.com, making it easier for us to keep more community projects consistently summarized and visible. He also helped recognize community-created content through the new “Add content” button and flow, which lets contributors log blog posts, videos, and other content directly from their profile and get rewarded.

Harshith has also contributed to our analytics and GitLab Duo usage insights. Highlights include refining how GitLab Duo usage is calculated, improving how AI impact over time can be explored by removing the 180-day default, and consolidating DORA metric date range constants, as well as enhancing analytics at scale with improvements like adding infinite scroll for the Value Stream Analytics custom stage label picker. Together, these changes help teams better understand how GitLab is used in real projects.

In his own words:

“One thing I’ve really enjoyed while contributing is how thoughtfully ideas are discussed within the community. It’s encouraging to see suggestions explored collaboratively, like in the discussion around MR !1288, which turned into a great learning experience. I’m really happy to be part of this community and look forward to making many more contributions in the future.”

Thank you, Harshith, for your ongoing work to improve the GitLab codebase and contributor experience!

Want to connect with Harshith and learn more about his contributions? Visit Harshith’s GitLab profile and his LinkedIn profile.

18.10 Key improvements released in GitLab 18.10

SAST false positive detection with GitLab Duo Agent Platform

SAST false positive detection, which was first introduced as a beta in GitLab 18.7, is now generally available in GitLab 18.10.

When a security scan runs, GitLab Duo Agent Platform analyzes each critical and high severity SAST vulnerability and determines the likelihood that it’s a false positive. The assessment appears directly in the vulnerability report, giving teams the context they need to triage with confidence rather than uncertainty.

Key capabilities include:

• Automatic analysis: False positive detection runs automatically after each security scan with no manual intervention required.
• Manual option: Users can manually run false positive detection for individual vulnerabilities on the vulnerability details page for on-demand analysis.
• Focus on high-impact findings: Limiting the analysis to critical and high severity SAST vulnerabilities cuts through the noise where it matters most.
• Contextual AI reasoning: Each assessment explains why a finding may or may not be a false positive, factoring in code context, data flow, and vulnerability characteristics specific to static analysis.
• Seamless workflow integration: Results surface directly in the vulnerability report alongside existing severity, status, and remediation information — no changes to existing workflows required.

This feature is available for Ultimate customers with GitLab Duo Agent Platform. The feature must be enabled in your group or project settings. We welcome your feedback in issue 583697.

Purchase GitLab Credits on the Free tier on GitLab.com

Free tier group Owners on GitLab.com can now unlock AI with GitLab Credits. Purchase a monthly credit amount, commit to an annual term, and get access to GitLab Duo Agent Platform agents and flows. Credits refresh automatically each month, so your team always has what it needs to build faster and smarter.

Key highlights:

• Usage-based pricing: Purchase a monthly credit commitment without needing a base plan subscription.
• Self-service purchasing: Buy credits through the GitLab purchase flow.
• Seamless upgrade path: Your credit commitment transfers if you later upgrade to Premium or Ultimate.
• Consumption tracking: Monitor your credit usage through the GitLab Credits dashboard.

This purchase option is currently only available for free GitLab.com top-level groups.

Sign in securely with passkeys

GitLab now supports passkeys for passwordless sign-in and as a phishing-resistant two-factor authentication (2FA) method. Passkeys use public-key cryptography and biometric authentication (fingerprint, face recognition) or your device PIN to securely access your account.

Passkeys offer the following benefits:

• Passwordless convenience: Sign in with your device’s biometrics or PIN instead of remembering a password.
• Multi-device support: Use passkeys on desktop browsers, mobile devices (iOS 16 or later, Android 9 or later), and FIDO2/WebAuthn-compatible hardware security keys.
• Phishing-resistant security: Your private key never leaves your device. GitLab only stores the public key, protecting your account even if GitLab servers are compromised.
• Automatic 2FA integration: For accounts with 2FA enabled, passkeys become available as your default 2FA method.

To get started, add a passkey in your account settings. We welcome your questions and feedback in issue 366758.

Introducing the work items list and saved views

The GitLab planning experience is getting a significant upgrade with the work items list and saved views, bringing together two long-requested capabilities:

• The work items list combines epics, issues, and other work items into a single unified list, eliminating the need to switch between separate pages for different work item types. This makes it easier to understand relationships across your planning objects.
• Saved views allow you to create and save customized list configurations, including filters, sort order, and display options. This makes routine checks more efficient, and supports standardized ways of viewing work across your team.

This is the next step in the GitLab work items journey, a unified architecture designed to deliver consistency and unlock new capabilities across GitLab planning tools.

Share your thoughts and feedback in issue 590689.

Custom agents can use MCP to access external data

You can now connect custom agents in the AI Catalog to external data sources and tools through the Model Context Protocol (MCP), without leaving GitLab.

This feature is an experiment. Share your feedback in issue 593219.

Enforce merge request title naming conventions with regex

Maintaining consistent merge request titles is important for teams that rely on structured naming conventions. Whether that’s following the Conventional Commits format, or linking to an internal tracking system. Teams previously needed external tooling or custom CI/CD pipeline jobs to enforce these conventions, but this approach had a critical gap. If someone changed the merge request title after the pipeline ran, there was no re-validation, and the MR could still be merged with a non-compliant title.

You can now configure a required title regex for merge requests in your project settings. When configured, GitLab evaluates the merge request title against the pattern as a mergeability check — blocking the merge until the title is updated to comply, regardless of when the title was last changed.

To set this up, go to your project’s Settings > Merge requests and enter a regex pattern in the Merge request title must match regex field.

Your existing merge request workflows continue to work as before. This check only applies to projects where you explicitly configure a title regex.

Secret false positive detection with AI (beta)

Security teams spend significant time investigating secret detection findings that turn out to be false positives. For example, test credentials, example values, and placeholder tokens that are incorrectly flagged as actual secrets. False positives create alert fatigue, erode trust in scan results, and divert attention from genuine security risks.

GitLab 18.10 introduces AI-powered secret false positive detection (beta) to focus on the secrets that actually matter. When a security scan runs, GitLab Duo automatically analyzes each Critical and High severity secret detection vulnerability to determine if it’s a false positive.

The AI assessment appears directly in the vulnerability report, giving security engineers immediate context to make faster and confident triage decisions.

Key capabilities include:

• Automatic analysis: False positive detection runs automatically after each security scan without manual trigger.
• Manual trigger option: You can manually trigger false positive detection for individual vulnerabilities on the vulnerability details page for on-demand analysis.
• Focus on high-impact findings: Scoped for Critical and High severity vulnerabilities to maximize signal-to-noise improvement.
• Contextual AI reasoning: Each assessment includes an explanation of why the finding may or may not be a true positive, based on code context and vulnerability characteristics.
• Confidence scoring: Each detection includes a confidence score to help teams prioritize review based on the model’s certainty.
• Seamless workflow integration: Results surface directly in the vulnerability report alongside existing severity, status, and remediation information.

This feature is available as a free beta for Ultimate customers and must be enabled in your group or project settings. Share feedback in issue 592861.

Use runtime inputs with CI/CD jobs

Using CI/CD variables for dynamic job configuration can be challenging. Variables follow a complex override hierarchy that’s difficult to manage, and they can’t be used for a variety of use cases.

Now you can use inputs to define explicit, typed inputs at the job level. Use job inputs to define and control the values that a job accepts at runtime. With job inputs, you get:

• Type safety (string, number, boolean, array).
• Default values that can be static or reference existing variables.
• The option to define a strict list of possible values to use.
• Regex support for validating input values.

Job inputs can use the default values without any user interaction, but you can modify the values when retrying a job or running a manual job.

18.10 Other improvements in GitLab 18.10

Task item support in Markdown tables

You can now use task item checkbox syntax directly in Markdown table cells.

Previously, achieving this required a combination of raw HTML and Markdown, which was cumbersome and difficult to maintain.

This improvement makes it easier to track task completion directly within structured table layouts in issues, epics, and other content.

macOS Tahoe 26 and Xcode 26 job image

You can now create, test, and deploy applications for the newest generations of Apple devices using macOS Tahoe 26 and Xcode 26.

With hosted runners on macOS, your development teams can build and deploy macOS applications faster in a secure, on-demand build environment integrated with GitLab CI/CD.

Try it out today by using the macos-26-xcode-26 image in your .gitlab-ci.yml file.

GitLab Helm Chart registry generally available

Teams using Helm to manage Kubernetes application deployments can now rely on the GitLab Helm Chart registry for production workloads. Previously in beta, the registry is now generally available following the resolution of key architectural and reliability concerns.

The path to GA included resolving a hard limit that prevented the index.yaml endpoint from returning more than 1,000 charts, fixing a background indexing bug that caused newly published chart versions to be missing from the index, completing a full AppSec security review, and adding Geo replication support for Helm metadata cache, ensuring high availability for self-managed customers running GitLab Geo.

Platform and DevOps teams can publish and install Helm charts directly from GitLab using standard Helm client workflows, with support for project-level endpoints and authentication using personal access tokens, deploy tokens, and CI/CD job tokens. Now you can keep charts alongside the source code, pipelines, and security scanning that depend on them.

Dependency Scanning with SBOM support for Java Gradle build files

GitLab dependency scanning by using SBOM now supports scanning Java build.gradle and build.gradle.kts build files.

Previously, dependency scanning for Java projects using Gradle required a lock file to be present. Now, when a lock file is not available, the analyzer automatically falls back to scanning build.gradle and build.gradle.kts files, extracting and reporting only direct dependencies for vulnerability analysis. This improvement makes it easier for Java projects using Gradle to enable dependency scanning without requiring a lock file.

To enable manifest fallback, set the DS_ENABLE_MANIFEST_FALLBACK CI/CD variable to "true".

License scanning support for Dart/Flutter projects using Pub package manager

GitLab now supports license scanning for Dart and Flutter projects that use the pub package manager. Previously, teams building with Dart or Flutter were unable to identify the licenses of their open source dependencies directly within GitLab, creating compliance blind spots for organizations with license policy requirements.

License data is sourced directly from pub.dev, the official Dart package repository, and results are surfaced alongside other supported ecosystems. Dart/Flutter dependency scanning and vulnerability detection were already supported.

Download credit usage data as CSV

Billing managers can now download credit usage data as a CSV file directly from the GitLab Credits dashboard in Customers Portal.

The export provides a daily, per-action breakdown of credit consumption for the current billing month, including commitment, waiver, trial, on-demand, and included credits used.

Finance and operations teams can use this data to perform cost allocation, chargeback reporting, and usage analysis in Excel, Google Sheets, or BI tools without manual data gathering or support requests.

Sort users in the GitLab Credits dashboard

Enterprise administrators can now sort the Usage by User table in the GitLab Credits dashboard by total credits used or by username.

The default sort order is by total credits consumed (highest first), so the top consumers are immediately visible without scrolling.

With this view, administrators managing thousands of GitLab Duo users can quickly identify high-usage individuals for cost allocation, chargeback reporting, and license utilization audits.

GitLab Blob Search for group and instance code search

The gitlab_blob_search tool now enables GitLab AI agents to search your code:

• Across all projects in a group.
• Across all accessible projects on an instance.

Previously, blob search was limited to a single project, or required specifying explicit project IDs. This change makes it easier for AI-powered workflows to discover and reuse code that’s spread across multiple related projects.

New navigation experience for projects in Explore

We’ve streamlined the projects page in Explore to reduce clutter and remove redundant options that accumulated over time. The simplified interface now focuses on two core views:

• Active tab: Discover projects with recent activity and ongoing development.
• Inactive tab: Access archived projects and those scheduled for deletion.

We’ve removed several redundant tabs:

• Most starred projects can be found by sorting Active or Inactive tabs by star count.
• All projects are available by viewing both Active and Inactive tabs.
• Trending tab will be fully removed in GitLab 19.0 due to limited functionality and low usage.

The cleaner design aligns with other project lists for visual consistency. You can still access all the same content through more logical organization and flexible sorting options.

Self-hosted Vertex AI for GitLab Duo Agent Platform

Vertex AI is now a supported LLM platform within GitLab Duo Agent Platform Self-Hosted.

Customers can now configure Anthropic models hosted on Vertex AI for use with GitLab Duo Agent Platform features.

Users can enable agents and flows directly from projects

Maintainers and Owners can now enable agents and flows directly from their project or the explore page, without navigating away from their current context.

Top-level group Owners can also select their group, and the specific projects where they want to activate agents and flows, streamlining their workflow setup.

GitLab Runner 18.10

We’re also releasing GitLab Runner 18.10 today! GitLab Runner is the highly-scalable build agent that runs your CI/CD jobs and sends the results back to a GitLab instance. GitLab Runner works in conjunction with GitLab CI/CD, the open-source continuous integration service included with GitLab.

What’s New:

• Allow k8s runner to define Pod Level Resources for build pod
• Add automation to update Go versions and packages for all Runner projects

Bug Fixes:

• S3 cache with RoleARN returns 403 instead of 404 for non-existent cache
• Using helper image gitlab-runner-helper:x86_64-v16.11.1-nanoserver21H2 results in init-permissions error
• MacOS: LaunchAgent - Service could not initialize on M1 architecture

The list of all changes is in the GitLab Runner CHANGELOG.

Conan 2.0 package registry support (Beta)

C and C++ development teams using Conan as their package manager have long requested registry support in GitLab. Previously, the Conan package registry was experimental and only supported Conan 1.x clients, limiting adoption for teams that have migrated to the modern Conan 2.0 toolchain.

The Conan package registry now supports Conan 2.0 and has been promoted from Experimental to Beta. This release includes full v2 API compatibility, recipe revision support, improved search capabilities, and proper handling of upload policies including the --force flag. Teams can publish and install Conan 2.0 packages directly from GitLab using standard Conan client workflows, reducing the need for external artifact management solutions like JFrog Artifactory.

With this update, platform engineering teams managing C and C++ dependencies can consolidate their package management within GitLab alongside their source code, CI/CD pipelines, and security scanning. The Conan registry supports both project-level and instance-level endpoints, and works with personal access tokens, deploy tokens, and CI/CD job tokens for authentication.

We welcome feedback as we work toward general availability. Please share your experience in the epic.

Manage container virtual registries with a dedicated UI (Beta)

When the container virtual registry launched in beta last milestone, platform engineers could aggregate multiple upstream container registries — Docker Hub, Harbor, Quay, and others — behind a single pull endpoint. However, all configuration required direct API calls, meaning teams had to maintain scripts or manual curl commands to create and manage their registries, configure upstreams, and handle changes over time. This added operational overhead and made the feature inaccessible to users who weren’t comfortable working directly with the API.

Container virtual registries can now be created and managed directly from the GitLab UI. From the group-level container registry page, you can create new virtual registries, configure upstream sources with authentication credentials, edit existing configurations, and delete registries you no longer need — all without leaving GitLab or writing a single API call. The UI integrates seamlessly with the existing container registry experience, making virtual registries a first-class part of your group’s artifact management workflow.

This feature is in beta. To share feedback, please comment in the feedback issue.

Dependency scanning SBOM-based scanning extended to self-managed

In GitLab 18.10, we’re extending limited availability status to self-managed instances for the new SBOM-based dependency scanning feature.

This feature was initially released in GitLab 18.5 with limited availability for GitLab.com only, behind the feature flag dependency_scanning_sbom_scan_api and disabled by default.

With additional improvements and fixes, we now have confidence to reliably use the new SBOM scanning internal API and enable this feature flag by default. This internal API allows the dependency scanning analyzer to generate a dependency scanning report containing all component vulnerabilities. Unlike the previous behavior (Beta) that processed SBOM reports after CI/CD pipeline completion, this improved process generates scan results immediately during the CI/CD job, giving users instant access to vulnerability data for custom workflows.

Self-managed customers who encounter issues can disable the dependency_scanning_sbom_scan_api feature flag. The analyzer will then fall back to the previous behavior.

To use this feature, import the v2 dependency scanning template Jobs/Dependency-Scanning.v2.gitlab-ci.yml.

We welcome feedback on this feature. If you have questions, comments, or would like to engage with our team, please reach out in this feedback issue.

Pipeline secret detection in security configuration profiles

In GitLab 18.9, we introduced security configuration profiles with the Secret Detection - Default profile, starting with push protection. You use the profile to apply standardized secret scanning across hundreds of projects without touching a single CI/CD configuration file.

The Secret Detection - Default profile now also covers pipeline-based scanning, providing a unified control surface for secret detection across your entire development workflow.

The profile activates three scan triggers:

• Push Protection: Scans all Git push events and blocks pushes where secrets are detected, preventing secrets from ever entering your codebase.
• Merge Request Pipelines: Automatically runs a scan each time new commits are pushed to a branch with an open merge request. Results only include new vulnerabilities introduced by the merge request.
• Branch Pipelines (default only): Runs automatically when changes are merged or pushed to the default branch, providing a complete view of your default branch’s secret detection posture.

Applying the profile requires no YAML configuration. The profile can be applied to a group to propagate coverage across all projects in the group, or to individual projects for more granular control.

Link credit usage to GitLab Duo Agent Platform sessions

The GitLab Credits dashboard now links credit consumption directly to the GitLab Duo Agent Platform session that generated it.

In the per-user drill-down view, the Action column for Agent Platform usage rows (such as Agentic Chat or Foundational Agents) is now a clickable hyperlink that navigates to the corresponding session details.

This link provides a direct audit trail from billing to AI session behavior, so administrators can investigate credit usage, support escalations, and compliance reviews without manually correlating timestamps across separate systems.

Configure network access control for remote flows in projects

You can now configure network access controls for flows using GitLab runners in projects.

This provides secure external integrations, while maintaining control over network destinations. This also gives project maintainers the flexibility to allow necessary API connections, MCP servers, and third-party services while enforcing security boundaries.

Configure network access controls in the network_policy section of agent-config.yml. The agent-config.yml is protected by branch protection rules and MR approval workflows.

GitLab MCP server tool for pipeline management

You can now manage your CI/CD pipelines in a GitLab project with the new manage_pipeline tool. This GitLab MCP server tool lets AI agents create, cancel, retry, delete, and update pipeline metadata in a single call. With this tool, you no longer have to piece together multiple steps to automate your pipeline workflows.

If you want to see other GitLab MCP sever tools, let us know in the feedback issue.

Project Maintainers can enable custom agents and flows

Previously, enabling AI agents and flows from the AI Catalog required top-level group permissions.

Now, when browsing the AI Catalog at the explore level or project level, project Maintainers can enable agents and flows directly in their projects.

Support for Agent Skills in IDEs and CI/CD pipelines

GitLab Duo Agent Platform now supports the Agent Skills specification, an emerging standard for giving AI agents new capabilities and expertise.

You can define Agent Skills at the workspace level for your project to give agents specialized knowledge and workflows for specific tasks, like writing tests in a specific framework. Agents automatically discover and load relevant skills as they encounter matching tasks.

You can also trigger skills manually by name, file path, or custom slash commands. Agent Skills are accessible for flows and Agentic Chat in your IDE, and for flows run in CI/CD pipelines. They also work with any other AI tool that supports the specification.

Features in Experiment

Runner controllers for job admission control

You can now enforce custom policies on CI/CD jobs before runner assignment with runner controllers. The runner controller connects to the job router and makes admit or reject decisions based on custom rules.

Use runner controllers for admission control, compliance enforcement, or cost and resource governance. Controllers support instance runners and a dry-run mode for safe validation before enforcement.

This feature is an experiment. To get started, see Tutorial: Build a runner admission controller.

Bug fixes, performance improvements, and UI improvements

At GitLab, we’re dedicated to providing the best possible experience for our users. With every release, we work tirelessly to fix bugs, improve performance, and enhance UI. Whether you’re one of the over 1 million users on GitLab.com or using our platform elsewhere, we’re committed to making sure your time with us is smooth and seamless.

Click the links below to see all the bug fixes, performance enhancements, and UI improvements we’ve delivered in 18.10.

• Bug fixes
• Performance improvements
• UI improvements

Deprecations

New deprecations and the complete list of all features that are currently deprecated can be viewed in the GitLab documentation. To be notified of upcoming breaking changes, subscribe to our Breaking Changes RSS feed.

Removals and breaking changes

The complete list of all removed features can be viewed in the GitLab documentation. To be notified of upcoming breaking changes, subscribe to our Breaking Changes RSS feed.

Changelog

Please check out the changelog to see all the named changes:

• GitLab
• GitLab Runner
• GitLab Workflow for VS Code
• GitLab CLI

Installing

If you are setting up a new GitLab installation please see the download GitLab page.

Updating

Check out our update page.

Questions?

We'd love to hear your thoughts! Visit the GitLab Forum and let us know if you have questions about the release.

GitLab Subscription Plans

• Free: Free-forever features for individual users
• Premium: Enhance team productivity and coordination
• Ultimate: Organization wide security, compliance, and planning

Try all GitLab features - free for 30 days.

Original source

GitLab Patch Release: 18.9.2, 18.8.6, 18.7.6

Learn more about GitLab Patch Release: 18.9.2, 18.8.6, 18.7.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).

Today, we are releasing versions 18.9.2, 18.8.6, 18.7.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.

GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.

For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.

We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.

Recommended Action

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.

Security fixes

Table of security fixes

Title | Severity
Cross-site Scripting issue in Markdown placeholder processing impacts GitLab CE/EE | High
Denial of Service issue in GraphQL API impacts GitLab CE/EE | High
Denial of Service issue in repository archive endpoint impacts GitLab CE/EE | High
Denial of Service issue in protected branches API impacts GitLab CE/EE | High
Denial of Service issue in webhook custom headers impacts GitLab CE/EE | Medium
Denial of Service issue in webhook endpoint impacts GitLab CE/EE | Medium
Improper Neutralization of CRLF Sequences issue impacts GitLab CE/EE | Medium
Improper Access Control issue in runners API impacts GitLab CE/EE | Medium
Improper Access Control issue in snippet rendering impacts GitLab CE/EE | Medium
Information Disclosure issue in inaccessible issues impacts GitLab CE/EE | Medium
Missing Authorization issue in Group Import impacts GitLab CE/EE | Medium
Incorrect Reference issue in repository download impacts GitLab CE/EE | Medium
Incorrect Authorization issue in Virtual Registry impacts GitLab EE | Low
Improper Escaping of Output issue in Datadog integration impacts GitLab CE/EE | Low

CVE-2026-1090 - Cross-site Scripting issue in Markdown placeholder processing impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an authenticated user, when the markdown_placeholders feature flag was enabled, to inject JavaScript in a browser due to improper sanitization of placeholder content in markdown processing.

Impacted Versions: GitLab CE/EE: all versions from 10.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N)

Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-1069 - Denial of Service issue in GraphQL API impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an unauthenticated user to cause a denial of service condition by sending specially crafted GraphQL requests due to uncontrolled recursion under certain circumstances.

Impacted Versions: GitLab CE/EE: all versions from 18.9 before 18.9.2
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program

CVE-2025-13929 - Denial of Service issue in repository archive endpoint impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an unauthenticated user to cause a denial of service condition by issuing specially crafted requests to repository archive endpoints under certain conditions.

Impacted Versions: GitLab CE/EE: all versions from 10.0 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program

CVE-2025-14513 - Denial of Service issue in protected branches API impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an unauthenticated user to cause a denial of service condition due to improper input validation when processing specially crafted JSON payloads in the protected branches API.

Impacted Versions: GitLab CE/EE: all versions from 16.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program

CVE-2025-13690 - Denial of Service issue in webhook custom headers impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an authenticated user to cause a denial of service condition due to improper input validation on webhook custom header names under certain conditions.

Impacted Versions: GitLab CE/EE: all versions from 16.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Thanks sim4n6 for reporting this vulnerability through our HackerOne bug bounty program

CVE-2025-12576 - Denial of Service issue in webhook endpoint impacts GitLab CE/EE

GitLab has remediated an issue that under certain conditions could have allowed an authenticated user to cause a denial of service condition due to improper handling of webhook response data.

Impacted Versions: GitLab CE/EE: all versions from 9.3 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Thanks sim4n6 for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-3848 - Improper Neutralization of CRLF Sequences issue impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an authenticated user to make unintended internal requests through proxy environments under certain conditions due to improper input validation in import functionality.

Impacted Versions: GitLab CE/EE: all versions from 8.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

Thanks shells3c for reporting this vulnerability.

CVE-2025-12555 - Improper Access Control issue in runners API impacts GitLab CE/EE

GitLab has remediated an issue that, under certain conditions, could have allowed an authenticated user to access previous pipeline job information on projects with repository and CI/CD disabled due to improper authorization checks.

Impacted Versions: GitLab CE/EE: all versions from 15.1 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Thanks iamgk808 for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-0602 - Improper Access Control issue in snippet rendering impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an authenticated user to disclose metadata from private issues, merge requests, epics, milestones, or commits due to improper filtering in the snippet rendering process under certain circumstances.

Impacted Versions: GitLab CE/EE: all versions from 15.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Thanks go7f0 for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-1732 - Information Disclosure issue in inaccessible issues impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an authenticated user to disclose confidential issue titles due to improper filtering under certain circumstances.

Impacted Versions: GitLab CE/EE: all versions from 12.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Thanks modhanami for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-1663 - Missing Authorization issue in Group Import impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an authenticated user with group import permissions to create labels in private projects due to improper authorization validation in the group import process under certain circumstances.

Impacted Versions: GitLab CE/EE: all versions from 14.4 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

Thanks go7f0 for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-1230 - Incorrect Reference issue in repository download impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an authenticated user to cause repository downloads to contain different code than displayed in the web interface due to incorrect validation of branch references under certain circumstances.

Impacted Versions: GitLab CE/EE: all versions from 1.0 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 4.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N)

Thanks st4nly0n for reporting this vulnerability through our HackerOne bug bounty program

CVE-2025-12704 - Incorrect Authorization issue in Virtual Registry impacts GitLab EE

GitLab has remediated an issue that could have allowed an authenticated user to access Virtual Registry data in groups where they are not members due to improper authorization under certain conditions.

Impacted Versions: GitLab EE: all versions from 18.2 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)

Thanks mateuszek for reporting this vulnerability through our HackerOne bug bounty program

CVE-2025-12697 - Improper Escaping of Output issue in Datadog integration impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an authenticated user with maintainer-role permissions to reveal Datadog API credentials under certain conditions.

Impacted Versions: GitLab CE/EE: all versions from 15.5 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 2.2 (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N)

Thanks shells3c for reporting this vulnerability through our HackerOne bug bounty program

Bug fixes

18.9.2

• Fix GitLab base caching (Backport 18.9)
• config: Add configuration to control GOMAXPROCS [backport to 18.9]
• Backport of 'Fix test pollution from simulate_saas rake task'
• Backport of 'Add backtrace to placeholder user reassignment failure logs'
• [Backport 18.9] Update bitbucket cloud importer to fetch workspace scoped repositories
• Backport of "Remove old DAP troubleshooting docs"
• Backport BBM - Fix helper with single record
• [18.9] Backport of 'Reduce logs by ConcurrencyLimit::WorkerExecutionTracker'
• Backport of Reduce batch size for text-embedding-005 requests
• [Backport]- Fix transpilers for zoekt filters
• Backport of 'Fix exclude types in session query'
• [Backport]- Skip param validation for MCP requests
• Backport of 591296 Historical Addon Assignments - Ignore Namespace Path For SM
• Backport of 'Handle Jira Server/Data Center Issue pagination' (18.9)
• Backport 'Improve Deployments and Size quota specs for clarity and consistency' to 18-9-stable-ee
• Backport- Code search returns no results at intermediate group level
• Backport of 'Move ConcurrencyLimit::ResumeWorker cron config to CE'
• Backport of 'Extend package migrate task to metadata caches and symbols'
• Backport of 'Stop unblocking policy approvals when security jobs get canceled'
• Backport of Revert "Clean up gpg_commit_delegate_to_signature feature flag"
• Support default AI access rules - Backport of 225728
• Backport of 'Fix maintainers editing when they own a fork'
• [Backport 18.9] Fix gitlab:setup failure on fresh database
• [18-9-stable] Remove release instance deployment trigger from Ubuntu-20.04-staging job
• [18-9] Backport Mattermost Security Updates February 18, 2026
• Backport: Simplify pg-upgrade initdb by removing locale parameters
• [18.9] Patch io-event gem to drop epoll_pwait2 check for RedHat 9

18.8.6

• Backport Go 1.25.7 to 18.8 Stable
• Fix GitLab base caching (Backport 18.8)
• Backport of "fix(bug): Schema check should not fail when ClickHouse DB is uninitialized"
• config: Add configuration to control GOMAXPROCS [backport to 18.8]
• 18.8 Backport of 'Fix PipelineSecurityReportFindings query timeout'
• Backport 18.8 - CI - Token used for release environments
• Handle RecordInvalid in SyncProjectPolicyWorker
• [Backport 18.8] Update bitbucket cloud importer to fetch workspace scoped repositories
• [18.8] Backport of 'Reduce logs by ConcurrencyLimit::WorkerExecutionTracker'
• Backport BBM - Fix helper with single record
• Backport of 'Fix Duo sidebar absent for user with Agentic Chat access but without Classic Chat access'
• [Backport]- Fix transpilers for modelling? filters
• Backport of 591296 Historical Addon Assignments - Ignore Namespace Path For SM
• Backport of 'Handle Jira Server/Data Center Issue pagination'
• Backport 'Improve Deployments and Size quota specs for clarity and consistency' to 18-8-stable-ee
• Backport- Code search returns no results at intermediate group level
• Backport of 'Move ConcurrencyLimit::ResumeWorker cron config to CE'
• Support default AI access rules - Backport of 225728
• Fix command execution race condition in Agentic Chat
• Backport Go 1.25.7 to GitLab 18.8
• [18-8-stable] Remove release instance deployment trigger from Ubuntu-20.04-staging job
• [18.8] Mattermost Security Updates February 18, 2026
• [18.8] Patch io-event gem to drop epoll_pwait2 check for RedHat 9

18.7.6

• Backport Go 1.25.7 to 18.7 Stable
• Fix GitLab base caching (Backport 18.7)
• Backport 18.7 - CI - Token used for release environments
• Handle RecordInvalid in SyncProjectPolicyWorker
• [Backport 18.7] Update bitbucket cloud importer to fetch workspace scoped repositories
• [18.7] Backport of 'Reduce logs by ConcurrencyLimit::WorkerExecutionTracker'
• [Backport]- Fix transpilers for zoekt filters
• Backport- Code search returns no results at intermediate group level
• Backport of 591296 Historical Addon Assignments - Ignore Namespace Path For SM
• Backport of 'Handle Jira Server/Data Center Issue pagination'
• Backport 'Improve Deployments and Size quota specs for clarity and consistency' to 18-7-stable-ee
• Backport of 'Move ConcurrencyLimit::ResumeWorker cron config to CE'
• [18.7] Fix image resizing assertion logic for RTE
• Backport Go 1.25.7 to GitLab 18.7
• [18-7-stable] Remove release instance deployment trigger from Ubuntu-20.04-staging job
• [18-7] Backport Mattermost Security Updates February 18, 2026
• [18.7] Patch io-event gem to drop epoll_pwait2 check for RedHat 9

Important notes on upgrading

This patch includes database migrations that may impact your upgrade process.

Impact on your installation:

• Single-node instances: This patch will cause downtime during the upgrade as migrations must complete before GitLab can start.
• Multi-node instances: With proper zero-downtime upgrade procedures, this patch can be applied without downtime.

Regular migrations

The following versions include regular migrations that run during the upgrade process:

• 18.9.2
• 18.8.6

To learn more about the impact of upgrades on your installation, see:

• Zero-downtime upgrades for multi-node deployments
• Standard upgrades for single-node installations

Updating

To update GitLab, see the Update page. To update GitLab Runner, see the Updating the Runner page.

Receive Patch Notifications

To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.

GitLab Patch Release: 18.9.2, 18.8.6, 18.7.6 via @gitlab Click to tweet!

security

Original source

95% complete

Milestone

18.9

Issues

2593

Open:
140

•
Closed:
2453

Assets 5

Source code (zip) Download

Source code (tar.gz) Download

Source code (tar.bz2) Download

Source code (tar) Download

Other

GitLab 18.9 release post

Release notes

26 new features

3990 total badges

Ultimate

8 new features

717 total badges

GitLab Duo Agent Platform available in Ultimate trials : Acquisition , Duo Agent Platform

Application security testing

Dependency Scanning with SBOM support for Java pom.xml manifest files : Software Composition Analysis

Dependency Scanning with SBOM support for Python requirements.txt manifest files : Software Composition Analysis

Software supply chain security

Vulnerability resolution with GitLab Duo Agent Platform (Beta) : Vulnerability Management

Security risk management

New security dashboard chart: Vulnerabilities by age : Vulnerability Management

Centralized security governance and configuration : Vulnerability Management

Security attributes : Security Asset Inventories

Security dashboards: Vulnerabilities over time chart improvements : Vulnerability Management

Premium

7 new features

803 total badges

GitLab Duo Agent Platform Self-Hosted models now available for cloud licenses (self-managed only) : Self-Hosted Models

Non-billable Minimal Access users (self-managed only)

Geo data management view on primary site (self-managed only) : Disaster Recovery , Geo Replication

OAuth support in JetBrains IDEs for Self-Managed and Dedicated (self-managed only) : Editor Extensions

Create

Restrict personal snippets for enterprise users : Source Code Management

Verify

View CI/CD job metrics for projects (limited availability) : Fleet Visibility

Package

Container virtual registry now available (Beta) : Virtual Registry

Core

11 new features

2470 total badges

Zero Downtime Upgrades now supported for Cloud Native Hybrid deployments (self-managed only) : Cloud Native Installation

Archive a group and its content : Groups & Projects

Valkey as replacement option for Redis (Beta) (self-managed only) : Omnibus Package

Create

Navigate repositories with collapsible file tree : Source Code Management

Web-based commit signing on GitLab.com : Source Code Management

Rapid Diffs improves performance for commit changes : Source Code Management

Support for Bitbucket Cloud API tokens in import API : Importers

Verify

Include CI/CD inputs from a file : Pipeline Composition

Add timestamps to CI job logs : Continuous Integration (CI)

CI/CD Catalog component analytics : Pipeline Composition

View security reports from child pipelines in merge requests : Continuous Integration (CI)

Original source

Learn more about GitLab Patch Release: 18.9.1, 18.8.5, 18.7.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).

Today, we are releasing versions 18.9.1, 18.8.5, 18.7.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.

Recommended Action

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.

Security fixes

Table of security fixes

Title Severity Cross-site Scripting issue in Mermaid sandbox impacts GitLab CE/EE High Denial of Service issue in container registry impacts GitLab CE/EE High Denial of Service issue in Jira events endpoint impacts GitLab CE/EE High Regular Expression Denial of Service issue in GitLab merge requests impacts GitLab CE/EE High Missing rate limit in Bitbucket Server importer impacts GitLab CE/EE Medium Denial of Service issue in CI trigger API impacts GitLab CE/EE Medium Denial of Service issue in token decoder impacts GitLab CE/EE Medium Improper Access Control issue in Conan package registry impacts GitLab EE Medium Access Control issue in CI job mutation impacts GitLab CE/EE Medium CVE-2026-0752 - Cross-site Scripting issue in Mermaid sandbox impacts GitLab CE/EE GitLab has remediated an issue that under certain circumstances, could have allowed an unauthenticated user to inject arbitrary scripts into the Mermaid sandbox UI. Impacted Versions: GitLab CE/EE: all versions from 16.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 CVSS 8.0 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N) Thanks aphantom for reporting this vulnerability through our HackerOne bug bounty program CVE-2025-14511 - Denial of Service issue in container registry impacts GitLab CE/EE GitLab has remediated an issue that could have allowed an unauthenticated user to cause denial of service by sending specially crafted files to the container registry event endpoint under certain conditions. Impacted Versions: GitLab CE/EE: all versions from 12.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program CVE-2026-1662 - Denial of Service issue in Jira events endpoint impacts GitLab CE/EE GitLab has remediated an issue that could have allowed an unauthenticated user to cause Denial of Service by sending specially crafted requests to the Jira events endpoint. Impacted Versions: GitLab CE/EE: all versions from 14.4 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program CVE-2026-1388 - Regular Expression Denial of Service issue in GitLab merge requests impacts GitLab CE/EE GitLab has remediated an issue that could have allowed an unauthenticated user to cause regular expression denial of service by sending specially crafted input to a merge request endpoint under certain conditions. Impacted Versions: GitLab CE/EE: all versions from 9.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Thanks sim4n6 for reporting this vulnerability through our HackerOne bug bounty program CVE-2026-2845 - Missing rate limit in Bitbucket Server importer impacts GitLab CE/EE GitLab has remediated an issue that could have allowed an authenticated user to cause denial of service by exploiting a Bitbucket Server import endpoint via repeatedly sending large responses. Impacted Versions: GitLab CE/EE: all versions from 11.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) This vulnerability has been discovered internally by GitLab team member Sam Word CVE-2025-3525 - Denial of Service issue in CI trigger API impacts GitLab CE/EE GitLab has remediated an issue that could have, under certain circumstances, allowed an authenticated user with certain access to cause denial of service by creating specially crafted CI triggers via the API. Impacted Versions: GitLab CE/EE: all versions from 9.0 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program CVE-2026-1725 - Denial of Service issue in token decoder impacts GitLab CE/EE GitLab has remediated an issue that could have under certain conditions, allowed an unauthenticated user to cause denial of service by sending specially crafted requests to a CI jobs API endpoint. Impacted Versions: GitLab CE/EE: versions from 18.9 before 18.9.1 CVSS 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) Thanks vinax for reporting this vulnerability through our HackerOne bug bounty program CVE-2026-1747 - Improper Access Control issue in Conan package registry impacts GitLab EE GitLab has remediated an issue that, under certain conditions, could have allowed Developer-role users with insufficient privileges to make unauthorized modifications to protected Conan packages. Impacted Versions: GitLab EE: all versions from 17.11 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) Thanks modhanami for reporting this vulnerability through our HackerOne bug bounty program CVE-2025-14103 - Access Control issue in CI job mutation impacts GitLab CE/EE GitLab has remediated an issue that could have allowed an unauthorized user with Developer-role permissions to set pipeline variables for manually triggered jobs under certain conditions. Impacted Versions: GitLab CE/EE: all versions from 17.7 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) Thanks go7f0 for reporting this vulnerability through our HackerOne bug bounty program

Bug fixes

18.9.1

• Backport of fix semantic code search for Premium plans
• Backport of "Implement usage of namespace AI data collection setting"
• Backport of AI data collection docs
• Backport of "Add exclude_types to the get_agent_flows query"
• Backport of "Bypass group membership lock for service accounts"
• Backport 18.9 - CI - Token used for release environments
• [Backport] Zoekt Fix the bug of includeForked
• Backport of Fix adding flows when member invites are disabled
• Backport of Fix workspace PAT creation with short PAT lifetime
• Backport of Remove API dependency on composite identity onboarding

18.8.5

• Disable gitlab credits dashboard page for SM trial
• Backport: Workhorse: Ignore misconfigured redis for DWS locking
• Backport of skip rebase check for detailed merge status
• Backport of 'Time to first byte degradation on list merge requests API'
• Backport of Update gitlab-cloud-connector gem to 1.44
• Backport - Remove orphaned zoektCrossNamespaceSearch feature flag reference
• Move bot avatar assets to app/assets for proper asset pipeline inclusion
• Backport of 'Geo Primary Verification: Check actual verification state when checksumming'
• Backport of Fix introspection query
• Backport PG::UntranslatableCharacter fixes for MoveCiBuildsMetadata background migration
• Backport optimizing of the MergeRequestResetApprovals Worker
• Backport of 'Remove unused retag-gdk-image CI job'
• Backport of "Docs: Added support for Credits and DAP from 18.8 and later"
• Backport of 'Enable the disable_all_mentions FF by default '
• Backport of Validate milestone title for group import
• Backport of workhorse: Return 400 from /cable without valid websocket upgrade
• Skip Feature.enabled? override in test environment - 18.8
• [Backport] Zoekt Fix the bug of includeForked
• Backport of "Bypass group membership lock for service accounts"
• Backport of Fix adding flows when member invites are disabled
• Backport of Reset group_push_rules primary key sequence
• Backport of Fix workspace PAT creation with short PAT lifetime
• Backport Use new auth in advanced wiki search

18.7.5

• Backport of 'Fix Zoekt indexing by cleaning up replicas without indices'
• Backport of 'Time to first byte degradation on list merge requests API'
• Backport of Validate milestone title for group import
• Backport of 'Remove unused retag-gdk-image CI job'
• Backport of workhorse: Return 400 from /cable without valid websocket upgrade
• Backport of Reset group_push_rules primary key sequence
• Backport Use new auth in advanced wiki search

Important notes on upgrading

The SLES 12.5 package is not available for GitLab 18.9.1.
This patch includes database migrations that may impact your upgrade process.

Impact on your installation:

• Single-node instances: This patch will cause downtime during the upgrade as migrations must complete before GitLab can start.
• Multi-node instances: With proper zero-downtime upgrade procedures, this patch can be applied without downtime.

Post-deploy migrations

The following versions include post-deploy migrations that can run after the upgrade:

• 18.8.5

To learn more about the impact of upgrades on your installation, see:

• Zero-downtime upgrades for multi-node deployments
• Standard upgrades for single-node installations

Updating

To update GitLab, see the Update page. To update GitLab Runner, see the Updating the Runner page.

Receive Patch Notifications

To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.

GitLab Patch Release: 18.9.1, 18.8.5, 18.7.5 via @gitlab Click to tweet!

Original source

GitLab 18.9 released with self-hosted AI models

Today, we are excited to announce the release of GitLab 18.9 with GitLab Duo Agent Platform self-hosted models now available for cloud licenses, vulnerability resolution with GitLab Duo Agent Platform, navigate repositories with collapsible file tree, include CI/CD inputs from a file, and much more!

New to GitLab Duo? Ultimate with GitLab Duo Agent Platform trials are now available for both GitLab.com and GitLab Self-Managed.

These are just a few highlights from the 25+ improvements in this release. Read on to check out all of the great updates below.

To the wider GitLab community, thank you for the 530+ contributions you provided to GitLab 18.9! At GitLab, everyone can contribute and we couldn't have done it without you!

To preview what's coming in next month’s release, check out our What's new page.

Notable Contributor

This month's Notable Contributor is awarded to Pooja Ghanghas

Pooja has made significant contributions to ongoing efforts at GitLab to migrate legacy dropdown components to our modern dropdown architecture. These migrations require careful attention to detail and an understanding of both the old and new component systems. Pooja has consistently delivered high-quality work across multiple migrations, including updates to the diff file header, code block bubble menu, oncall schedules rotation assignee component, and the new resource dropdown.

Peter Hegman, Staff Frontend Engineer on Tenant Scale::Organizations at GitLab, nominated Pooja for this recognition, noting: “These migrations can be pretty tricky and she has completed a number of them. Thanks for your contributions!”

Beyond these migration efforts, Pooja has also contributed to feature development, including adding statuses to milestones and iterations, a feature she put significant effort into getting merged.

Marc Saleiko, Staff Fullstack Engineer on Plan:Project Management at GitLab, recognised her work: “This is a valuable contribution and you did a great job delivering this functionality!” Reflecting on her experience, Pooja shared: “I’m proud of how it turned out and it was a great learning experience for me.”

She has also contributed numerous bug fixes and maintenance improvements across the GitLab codebase. Pooja’s work directly improves the maintainability and consistency of the GitLab user interface, making it easier for both contributors and team members to build and maintain features, and helping move the GitLab frontend architecture forward.

Thank you, Pooja, for your continued contributions to improving the GitLab codebase and for being such a reliable member of our contributor community!

Want to learn more about Pooja’s contributions? Check out her GitLab profile.

18.9 Key improvements released in GitLab 18.9

GitLab Duo Agent Platform Self-Hosted models now available for cloud licenses

GitLab Duo Agent Platform is now generally available for GitLab Self-Managed customers with a cloud license. Billing for this feature is usage-based.

Administrators can configure compatible models for use with GitLab Duo Agent Platform. Administrators using AWS Bedrock or Azure OpenAI can also configure Anthropic Claude or OpenAI GPT models.

Not yet on Ultimate? Start a free trial with Duo Agent Platform included.

Vulnerability resolution with GitLab Duo Agent Platform (Beta)

Triaging and remediating SAST vulnerabilities is one of the most time-consuming tasks in application security. After identifying a real vulnerability, developers need to understand the finding, locate the affected code, and write an appropriate fix. All of which take time and specialized knowledge. In GitLab 18.9, we’re introducing Agentic SAST Vulnerability Resolution. When you trigger resolution for a SAST vulnerability, GitLab Duo autonomously analyzes the finding, reasons through the surrounding code context, generates a context-aware fix, and creates a merge request without any manual intervention.

Key capabilities include:

• Agentic multi-step resolution: Rather than producing a single code suggestion, the GitLab Duo Agent Platform reasons through the vulnerability, evaluates the codebase, and produces a well-informed fix.
• Automatic merge request creation: Generates a ready-to-review merge request with the proposed code fix for critical and high severity SAST vulnerabilities.
• Quality scoring: Each generated fix includes a quality assessment so reviewers can quickly gauge confidence in the proposed remediation.

SAST vulnerability resolution is available from the vulnerability report and the individual vulnerability details pages. You can trigger a resolution directly from the individual vulnerability details page.

This feature is available as a free beta for Ultimate customers. We welcome your feedback in issue 585626.

Navigate repositories with collapsible file tree

You can now browse repository files with a collapsible file tree. The tree provides a comprehensive view of your project structure, so you can expand and collapse directories inline, jump between files in different parts of your repository, and maintain context while you work.

The file tree appears as a resizable sidebar when you view repository files or directories. You can toggle visibility with keyboard shortcuts, filter files by name or extension, and navigate through complex project hierarchies. The tree synchronizes with your current location, so when you select a file in the main content area, the tree updates to show that file.

Your existing repository structure and file organization remain unchanged. With fewer page loads required to move between files, this feature scales from small projects to large codebases with thousands of files.

Include CI/CD inputs from a file

Previously, pipeline inputs could only be defined directly within a pipeline’s spec section. This limitation made it challenging to reuse input configuration across multiple projects.

In this release you can now include input definitions from external files using the familiar include keyword. Being able to maintain a list of inputs in a separate place helps you have a manageable solution across many projects or pipelines. You can maintain centralized input configurations and even dynamically manage input values from external sources.

Web-based commit signing on GitLab.com

Ensuring commits are cryptographically signed is essential for code integrity and meeting compliance requirements. Previously, web-based commit signing was only available for GitLab Self-Managed.

GitLab.com now supports web-based commit signing. When enabled for a group or project, commits created through the GitLab web interface are automatically signed with the GitLab signing key and are displayed with a Verified badge, providing cryptographic proof of authenticity for your repositories.

Key details:

• Enable in group or project settings based on your requirements.
• All web-based commits (Web IDE edits, merges, API operations) are automatically signed when enabled.

This brings the GitLab.com security capabilities in line with GitLab Self-Managed and provides the foundation for comprehensive commit signing policies across your organization.

Container virtual registry now available (Beta)

Modern container-based development requires accessing images from multiple registries including Docker Hub, Harbor, Quay, and private registries. Without a container virtual registry, platform engineers must configure each project and CI/CD pipeline to authenticate with and pull from multiple registries individually. This creates configuration complexity, slows pulls with sequential registry queries, and makes it difficult to implement consistent security policies across container sources.

The container virtual registry addresses these challenges by aggregating multiple upstream container registries behind a single endpoint. Platform engineers can configure Docker Hub, Harbor, Quay, and other registries with long-lived token authentication through one URL. Intelligent caching improves pull performance while integrating with the GitLab authentication systems for centralized access control and audit logging.

The container virtual registry API is currently available in beta for GitLab Premium and Ultimate customers. Beta participants can use the GitLab API to create container virtual registries, configure multiple upstream sources with shareable configurations, and pull container images through the virtual registry. Please note the beta does not support registries that require IAM authentication. Support for cloud provider registries requiring IAM authentication is tracked in this epic.

On GitLab.com, this feature is behind a feature flag. To request access or share feedback, please comment in the feedback issue.

18.9 Other improvements in GitLab 18.9

Rapid Diffs improves performance for commit changes

Reviewing commits with many changed files or substantial modifications can be slow. Rapid Diffs technology now powers the commits page (/ - /commits/), delivering faster loading times, smoother scrolling, and more responsive interactions.

With Rapid Diffs, you’ll notice:

• A pagination-free experience.
• Faster initial load, so you can start working with code sooner.
• A refreshed interface with a new file browser for quicker navigation between files.
• Responsive interactions, even with large numbers of changed files.

All existing functionality is preserved. As Rapid Diffs expands to other areas of GitLab, the same performance benefits will follow.

Support for Bitbucket Cloud API tokens in import API

The GitLab import API now supports Bitbucket Cloud API tokens, providing a more secure way to import repositories from Bitbucket Cloud.

Atlassian has deprecated app passwords in favor of API tokens, and we’re planning to remove support for app passwords in 19.0.

Importing from Bitbucket Cloud through the GitLab UI is not affected by this change.

CI/CD Catalog component analytics

Previously, teams lacked visibility into how CI/CD Catalog component projects were being used across their organization. Now you can view usage counts and adoption patterns at a high level, helping you understand which component projects are most valuable and optimize your catalog investments.

View security reports from child pipelines in merge requests

You can now view security and compliance reports from child pipelines directly in merge request widgets. Previously, you had to manually navigate through multiple pipelines to identify security issues, creating inefficient workflows especially with monorepos and complex testing setups.

With this enhancement, the merge request widget displays reports from child pipelines directly alongside parent pipeline results, with each child pipeline’s reports presented individually and artifacts available for download. This provides a unified view of all security checks, significantly reducing time spent investigating failures and enables faster merge request reviews when using parent-child pipelines.

Dependency Scanning with SBOM support for Python requirements.txt manifest files

GitLab dependency scanning by using SBOM now supports scanning Python requirements.txt manifest files. Previously, dependency scanning for Python projects required a lock file to be present. Now, when a lock file is not available, the analyzer automatically falls back to scanning requirements.txt files, extracting and reporting only direct dependencies for vulnerability analysis. This improvement makes it easier for Python projects to enable dependency scanning without requiring a lock file.

To enable manifest fallback, set the DS_ENABLE_MANIFEST_FALLBACK CI/CD variable to "true".

Security attributes

Security attributes, introduced as a beta in GitLab 18.6, are now generally available.

Security attributes allow security teams to apply business context to their projects, including business impact, application, business unit, internet exposure, and location. You can also create custom attribute categories to match your organization’s taxonomy. By applying these attributes, you can filter and prioritize the items in your security inventory based on risk posture and organizational context.

GitLab Duo Agent Platform available in Ultimate trials

Teams evaluating GitLab can now test agentic AI capabilities that automate complex development workflows and reduce manual tasks. Sign up for a GitLab Ultimate trial and get access to Duo Agent Platform with 24 evaluation credits per user, enabling hands-on experience with autonomous task execution and multi-step workflow orchestration during a 30-day evaluation. Evaluation credits are available for 30 days from the provision date, so consider your team’s readiness before starting.

Current paid customers can access evaluation credits through their account team.

Archive a group and its content

Managing completed initiatives and abandoned projects is now easier. You can now archive entire groups, including all subgroups and projects, in one action, eliminating the need to manually archive each project individually.

When you archive a group:

• All nested subgroups and projects are automatically archived.
• Archived content moves to the Inactive tab with clear status badges.
• Group data remains fully accessible in read-only mode for reference or restoration.
• Write permissions are disabled across the archived group and its content.

Beyond the Settings page, you can archive groups and projects directly from the actions menu in list views. No more navigating through multiple screens for simple administrative tasks. This highly requested feature dramatically reduces administrative overhead while keeping your workspace organized with clear separation between active and inactive work.

OAuth support in JetBrains IDEs for Self-Managed and Dedicated

The GitLab Duo plugin for JetBrains IDEs now supports OAuth authentication for GitLab Self-Managed and GitLab Dedicated. This means all JetBrains users can now enjoy a faster, more secure sign-in experience. No personal access token required.

Zero Downtime Upgrades now supported for Helm chart deployments

Zero Downtime Upgrades are now officially supported for GitLab Helm chart deployments.

Enterprise customers require their DevSecOps platform to be available at all times, making upgrade-related downtime a significant operational concern. Until now, Zero Downtime Upgrades were only supported for Linux package-based high availability deployments, which drove many customers toward VM-based architectures even when cloud-native Kubernetes deployments would have better suited their infrastructure strategy.

We’ve been upgrading our own Cloud Native Hybrid SaaS instances with zero downtime for years. With this release, we’re bringing that same operational experience to self-managed customers running GitLab on Kubernetes.

The upgrade procedure has been comprehensively tested and is now fully documented, giving you the confidence to maintain availability during version upgrades.

Restrict personal snippets for enterprise users

Organizations using GitLab.com need to ensure that enterprise users don’t accidentally expose sensitive code through personal snippets. Previously, there was no way to prevent users from creating snippets in their personal namespace, which can pose a security risk if snippets are inadvertently set to public.

Group Owners can now restrict personal snippet creation for enterprise users, helping maintain tighter control over where code is shared. When restricted, enterprise users cannot create snippets in their personal namespace.

Add timestamps to CI job logs

You can now view timestamps on each CI job log line to identify performance bottlenecks and debug long-running jobs. Timestamps are displayed in UTC format. Use timestamps to troubleshoot performance issues, identify bottlenecks, and measure the duration of specific build steps. Requires GitLab Runner 18.7 or later for GitLab Self-Managed.

View CI/CD job metrics for projects (limited availability)

GitLab CI/CD analytics now combines CI/CD pipeline and CI/CD job performance trends, which enables developers to identify inefficient or problematic CI/CD jobs quickly. These capabilities are included directly in the GitLab UI, so developers have the tools they need in context to identify and fix CI/CD performance problems that can significantly impact development teams’ velocity and overall productivity. For platform administrators, the CI/CD jobs data in this view also reduces the need to rely on external or custom-built CI/CD observability solutions when you operate GitLab at an enterprise scale.

Dependency Scanning with SBOM support for Java pom.xml manifest files

GitLab dependency scanning by using SBOM now supports scanning Java pom.xml manifest files. Previously, dependency scanning for Java projects using Maven required a graph file to be present. Now, when a graph file is not available, the analyzer automatically falls back to scanning pom.xml files, extracting and reporting only direct dependencies for vulnerability analysis. This improvement makes it easier for Java projects to enable dependency scanning without requiring a graph file.

To enable manifest fallback, set the DS_ENABLE_MANIFEST_FALLBACK CI/CD variable to "true".

Centralized security governance and configuration

Manage and visualize security scanner coverage across your organization. This release introduces security configuration profiles, starting with the secret detection profile. Security teams now have a more powerful command center to secure your organization at scale.

Profile-based security configuration

Instead of manually editing YAML files for each project, you can now use preconfigured security configuration profiles that provide several advantages:

• Standardized governance: Preconfigured profiles apply appropriate boundaries without interrupting productivity. You can apply standardized security best practices, without requiring custom role configurations.
• Scalable management: Apply the same profile across hundreds or thousands of projects with a single action.

The secret detection profile is the first security configuration profile available. It provides the following advantages:

• Actively identifies and blocks secrets from being committed to your repositories.
• One profile manages secret detection across your entire development workflow. No need to manage separate configurations for different trigger types.

Enhanced security inventory

The security inventory has been upgraded to act as your primary dashboard to assess each group’s security posture:

• Group and project hierarchies: Easily distinguish between subgroups and projects in the inventory with clear iconography.
• Bulk actions: A new Bulk Action menu allows you to apply or disable security scanner profiles across all selected projects and subgroups simultaneously.
• Visual coverage status: Quickly identify gaps with color-coded status bars (Enabled, Not Enabled, or Failed) with tooltips for details.
• Profile status indicators: See which trigger types are available in the profile details.

Security dashboards: Vulnerabilities over time chart improvements

The Vulnerabilities over time chart is updated to provide a more accurate view of your vulnerability inventory.

The chart previously included vulnerabilities that were no longer detected, leading to inflated numbers that did not accurately represent the state of active vulnerabilities.

We are aware of two additional issues that may slightly alter counts in some cases. Follow issue 590022 and issue 590018 for updates.

Non-billable Minimal Access users

Previously, organizations that used identity providers to automate user provisioning on GitLab Self-Managed Premium might run into a potential problem. When identity provider syncs attempt to add users beyond the licensed seat limit, administrators must either purchase extra seats for users who don’t need active access, or manually intervene to prevent failures. Now, users with the Minimal Access role on GitLab Self-Managed Premium subscriptions no longer count as billable seats, bringing them in line with how minimal access works on GitLab.com Premium, GitLab.com Ultimate, and GitLab Self-Managed Ultimate. This change unlocks the restricted access feature, which automatically assigns the Minimal Access role to users who would otherwise exceed the seat limit during identity provider syncs. This change keeps syncs running smoothly without unexpected billing overages or manual intervention.

Geo data management view on primary site

You can now troubleshoot and verify data integrity directly from the primary site, thanks to the new data management view that brings detailed verification status information to the primary Geo site. This enhancement eliminates the need to access secondary sites for basic verification and troubleshooting tasks.

Previously, this verification status was only accessible through the secondary site UI. Now, with the data management view on the primary site, you can:

• View detailed verification status for all replicable data types on the primary site
• Perform data sanitization and troubleshooting tasks directly from the primary UI
• Set up and verify your Geo configuration on the primary site before adding secondary sites

This enhancement is the first step toward comprehensive self-serve troubleshooting with the UI, reducing the need to access multiple sites for routine maintenance and issue resolution.

Valkey as replacement option for Redis (Beta)

Starting with GitLab 18.9, Valkey is bundled as an opt-in replacement for Redis in the Linux package. Redis changed their license to AGPLv3, which is not suitable for open source customers. To guarantee security and maintainability for our GitLab Self-Managed customers, we are transitioning from Redis to Valkey, a community-driven fork that maintains the permissive BSD license.

Transition timeline:

• GitLab 18.9 (this release): Valkey is bundled as an opt-in replacement (beta). You can switch from Redis to Valkey at your convenience. Valkey Sentinel support is included.
• GitLab 19.0 (May 2026): Valkey becomes the default and Redis binaries are removed from the Linux package. Existing Redis configuration settings remain functional and are honored for backwards compatibility.

This transition only affects the bundled Redis in Linux packages. Customers on scaled architectures using external Redis deployments can continue to use Redis. We are monitoring the potential feature divergence between Redis and Valkey and will provide guidance as the ecosystem evolves.

Bug fixes, performance improvements, and UI improvements

At GitLab, we’re dedicated to providing the best possible experience for our users. With every release, we work tirelessly to fix bugs, improve performance, and enhance UI. Whether you’re one of the over 1 million users on GitLab.com or using our platform elsewhere, we’re committed to making sure your time with us is smooth and seamless.

Click the links below to see all the bug fixes, performance enhancements, and UI improvements we’ve delivered in 18.9.

Deprecations

New deprecations and the complete list of all features that are currently deprecated can be viewed in the GitLab documentation. To be notified of upcoming breaking changes, subscribe to our Breaking Changes RSS feed.

Removals and breaking changes

The complete list of all removed features can be viewed in the GitLab documentation. To be notified of upcoming breaking changes, subscribe to our Breaking Changes RSS feed.

Important notes on upgrading to GitLab 18.9

GitLab has been upgraded to use Ruby 3.3. This upgrade introduces improvements to the Ruby garbage collector, such as a reduction in heap fragmentation and time spent in major garbage collection.

For self-compiled installations, when upgrading to GitLab 18.9 or later, administrators must have Ruby 3.3.x or later. This change is necessary because Ruby 3.2 reaches its end-of-life on March 31, 2026, and will no longer receive official updates or support.

Please check out the changelog to see all the named changes: GitLab, GitLab Runner, GitLab Workflow for VS Code, GitLab CLI.

If you are setting up a new GitLab installation please see the download GitLab page.

Check out our update page.

We'd love to hear your thoughts! Visit the GitLab Forum and let us know if you have questions about the release.

GitLab Subscription Plans

• Free - Free-forever features for individual users
• Premium - Enhance team productivity and coordination
• Ultimate - Organization wide security, compliance, and planning

Try all GitLab features - free for 30 days.

Original source

Learn more about GitLab Patch Release: 18.8.4, 18.7.4, 18.6.6 for GitLab Community Edition (CE) and Enterprise Edition (EE)

Today, we are releasing versions 18.8.4, 18.7.4, 18.6.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.

Recommended Action

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.

Security fixes

Table of security fixes

Title Severity Incomplete Validation issue in Web IDE impacts GitLab CE/EE High Denial of Service issue in GraphQL introspection impacts GitLab CE/EE High Denial of Service issue in JSON validation middleware impacts GitLab CE/EE High Cross-site Scripting issue in Code Flow impacts GitLab CE/EE High HTML Injection issue in test case titles impacts GitLab CE/EE High Denial of Service issue in Markdown processor impacts GitLab CE/EE Medium Denial of Service issue in Markdown Preview impacts GitLab CE/EE Medium Denial of Service issue in dashboard impacts GitLab EE Medium Server-Side Request Forgery issue in Virtual Registry impacts GitLab EE Medium Improper Validation issue in diff parser impacts GitLab CE/EE Medium Server-Side Request Forgery issue in Git repository import impacts GitLab CE/EE Medium Authorization Bypass issue in iterations API impacts GitLab EE Medium Missing Authorization issue in GLQL API impacts GitLab CE/EE Low Stored HTML Injection issue in project label impacts GitLab CE/EE Low Authorization Bypass issue in Pipeline Schedules API impacts GitLab CE/EE Low CVE-2025-7659 - Incomplete Validation issue in Web IDE impacts GitLab CE/EE GitLab has remediated an issue that could have allowed an unauthenticated user to steal tokens and access private repositories by abusing incomplete validation in the Web IDE. Impacted Versions: GitLab CE/EE: all versions from 18.2 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 CVSS 8.0 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N) Thanks cav0ur for reporting this vulnerability through our HackerOne bug bounty program CVE-2025-8099 - Denial of Service issue in GraphQL introspection impacts GitLab CE/EE GitLab has remediated an issue that, under certain conditions, could have allowed an unauthenticated user to cause denial of service by sending repeated GraphQL queries. Impacted Versions: GitLab CE/EE: all versions from 10.8 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Thanks foxribeye for reporting this vulnerability through our HackerOne bug bounty program CVE-2026-0958 - Denial of Service issue in JSON validation middleware impacts GitLab CE/EE GitLab has remediated an issue that could have allowed an unauthenticated user to cause denial of service through memory or CPU exhaustion by bypassing JSON validation middleware limits. Impacted Versions: GitLab CE/EE: all versions from 18.4 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Thanks elbo7 for reporting this vulnerability through our HackerOne bug bounty program CVE-2025-14560 - Cross-site Scripting issue in Code Flow impacts GitLab CE/EE GitLab has remediated an issue that, under certain conditions could have allowed an authenticated user to perform unauthorized actions on behalf of another user by injecting content into vulnerability code flow. Impacted Versions: GitLab CE/EE: all versions from 17.1 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 CVSS 7.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N) Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program CVE-2026-0595 - HTML Injection issue in test case titles impacts GitLab CE/EE GitLab has remediated an issue that, under certain conditions, could have allowed an authenticated user to add unauthorized email addresses to user accounts through HTML injection in test case titles. Impacted Versions: GitLab CE/EE: all versions from 13.9 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 CVSS 7.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N) Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program CVE-2026-1458 - Denial of Service issue in Markdown processor impacts GitLab CE/EE GitLab has remediated an issue that, under certain conditions, could have allowed an unauthenticated user to cause denial of service by uploading specifically crafted files. Impacted Versions: GitLab CE/EE: all versions from 8.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) Thanks maksyche for reporting this vulnerability through our HackerOne bug bounty program CVE-2026-1456 - Denial of Service issue in Markdown Preview impacts GitLab CE/EE GitLab has remediated an issue that could have allowed an unauthenticated user to cause denial of service through CPU exhaustion by submitting specially crafted markdown files that trigger exponential processing in markdown preview. Impacted Versions: GitLab CE/EE: all versions from 18.7 before 18.7.4, and 18.8 before 18.8.4 CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) Thanks maksyche for reporting this vulnerability through our HackerOne bug bounty program CVE-2026-1387 - Denial of Service issue in dashboard impacts GitLab EE GitLab has remediated an issue that could have allowed an authenticated user to cause denial of service by uploading a specially crafted file to the dashboard and repeatedly sending GraphQL queries to parse it. Impacted Versions: GitLab EE: all versions from 15.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program CVE-2025-12575 - Server-Side Request Forgery issue in Virtual Registry impacts GitLab EE GitLab has remediated an issue that, under certain conditions, could have allowed an authenticated user with certain permissions to perform server-side request forgery against internal network services. Impacted Versions: GitLab EE: all versions from 18.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 CVSS 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N) Thanks go7f0qho for reporting this vulnerability through our HackerOne bug bounty program CVE-2026-1094 - Improper Validation issue in diff parser impacts GitLab CE/EE GitLab has remediated an issue that could have allowed an authenticated developer to hide specially crafted file changes from the WebUI. Impacted Versions: GitLab CE/EE: all versions from 18.8 before 18.8.4 CVSS 4.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N) Thanks u3mur4 for reporting this vulnerability through our HackerOne bug bounty program CVE-2025-12073 - Server-Side Request Forgery issue in Git repository import impacts GitLab CE/EE GitLab has remediated an issue that, under certain conditions, could have allowed an authenticated user to perform server-side request forgery against internal services by bypassing protections in the Git repository import functionality. Impacted Versions: GitLab CE/EE: all versions from 18.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) Thanks yunus0x for reporting this vulnerability through our HackerOne bug bounty program CVE-2026-1080 - Authorization Bypass issue in iterations API impacts GitLab EE GitLab has remediated an issue that, under certain conditions, could have allowed an authenticated user to access iteration data from private descendant groups by querying the iterations API endpoint. Impacted Versions: GitLab EE: all versions from 16.7 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) Thanks go7f0 for reporting this vulnerability through our HackerOne bug bounty program CVE-2025-14592 - Missing Authorization issue in GLQL API impacts GitLab CE/EE GitLab has remediated an issue that, under certain conditions, could have allowed an authenticated user to perform unauthorized operations by submitting GraphQL mutations through the GLQL API endpoint. Impacted Versions: GitLab CE/EE: all versions from 18.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 CVSS 3.7 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) Thanks go7f0 for reporting this vulnerability through our HackerOne bug bounty program CVE-2026-1282 - Stored HTML Injection issue in project label impacts GitLab CE/EE GitLab has remediated an issue that could have allowed an authenticated user to inject content into project labels titles. Impacted Versions: GitLab CE/EE: all versions from 18.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 CVSS 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N) Thanks rafabd1 for reporting this vulnerability through our HackerOne bug bounty program CVE-2025-14594 - Authorization Bypass issue in Pipeline Schedules API impacts GitLab CE/EE GitLab has remediated an issue that, under certain conditions, could have allowed an authenticated user to view certain pipeline values by querying the API. Impacted Versions: GitLab CE/EE: all versions from 17.11 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 CVSS 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N) Thanks sndd for reporting this vulnerability through our HackerOne bug bounty program

Bug fixes

18.8.4

• Backport dependency update golang/go to v1.24.12
• Backport of Fix project state getting out of sync when deletion fails
• Backport of 'Add migrations for missing merge_requests stage 2 indexes for bigint'
• Backport-Group/Global search should not show code tab if no zoekt nodes are available & advanced search is off
• [Backport 18.8] Exclude Git LFS paths from Git HTTP throttling
• Backport of Add REST endpoint for seeding external agents
• Backport of Update seeded third party flows descriptions
• Backport of Add seed external agents button to Admin > GitLab Duo
• Backport of 'Fix Duo Enterprise add-on check to use seat assignment instead of namespace membership'
• Backport of 'Add paidTierTrial to subscriptionUsage GraphQL API'
• [Backport] Add preflight checks to resume_indexing rake task
• Backport: DAP onboarding UX
• Backport of 'Add usage billing paid tier trial card'
• Backports 'Fixes duo chat visible if user does not have permission'
• Backport of 'Fix Zoekt indexing by cleaning up replicas without indices'
• Flip dap_onboarding_empty_states back off
• Disable credits page for SM in trial
• Backport of 'Update dependency gitlab-cloud-connector to 1.43.0'
• Backport Go 1.24.12 to 18-8-Stable
• [18.8] Backport Mattermost Security Updates January 15, 2026

18.7.4

• Backport of 'Fix: DAP enablement setting availability'
• 18.7 Backport of 'Fix PipelineSecurityReportFindings query timeout'
• [Backport] Add preflight checks to resume_indexing rake task
• [18.7] Backport Mattermost Security Updates January 15, 2026

18.6.6

• 18.6 Backport of 'Fix PipelineSecurityReportFindings query timeout'
• [Backport] Add preflight checks to resume_indexing rake task
• [18.6] Backport Mattermost Security Updates January 15, 2026

GitLab Ultimate trials updated to include GitLab Duo Agent Platform
GitLab.com Ultimate trials now include evaluation credits for GitLab Duo Agent Platform. On GitLab.com, signing up for an Ultimate trial provides 24 evaluation credits per user for 30 days to exercise agentic AI capabilities such as autonomous task execution and multi‑step workflow orchestration. Self-managed customers should update to GitLab 18.9 upon release to get the best trial experience. GitLab.com free tier namespaces can start an Ultimate trial today.
Start your free trial. Current paid customers can request evaluation credits through their account team and begin technical setup ahead of the 18.9 release contact Sales to learn more.

Important notes on upgrading

This patch includes database migrations that may impact your upgrade process.

Impact on your installation:

• Single-node instances: This patch will cause downtime during the upgrade as migrations must complete before GitLab can start.
• Multi-node instances: With proper zero-downtime upgrade procedures, this patch can be applied without downtime.

Post-deploy migrations

The following versions include post-deploy migrations that can run after the upgrade:

• 18.8.4

To learn more about the impact of upgrades on your installation, see:

• Zero-downtime upgrades for multi-node deployments
• Standard upgrades for single-node installations

Updating

To update GitLab, see the Update page. To update GitLab Runner, see the Updating the Runner page.

Receive Patch Notifications

To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.

GitLab Patch Release: 18.8.4, 18.7.4, 18.6.6 via @gitlab Click to tweet!
GitLab Patch Release: 18.8.4, 18.7.4, 18.6.6 via @gitlab
Click to tweet!

Original source

Learn more about GitLab AI Gateway Release: 18.6.2, 18.7.1, and 18.8.1 for GitLab Duo Self-hosted

Today, we are releasing versions 18.6.2, 18.7.1, and 18.8.1 of the GitLab AI Gateway.

These versions contain a critical security fix for GitLab Duo Self-Hosted AI Gateway, and we strongly recommend that all Self Managed customers with GitLab Duo Self-Hosted installations update to one of these versions immediately.

A fix has already been deployed for the GitLab-hosted AI Gateway. Customers using GitLab.com, GitLab Dedicated, and GitLab Self Managed instances with GitLab-hosted AI Gateway are protected and do not need to take action.

Recommended Action

We strongly recommend that all GitLab Duo Self-Hosted installations running a version of self-hosted AI Gateway affected by the issue described below are upgraded to the latest version as soon as possible.

Security fixes

Table of security fixes

| Title | Severity |
| Insecure Template expansion issue impacts GitLab AI Gateway | Critical |

CVE-2026-1868 - Insecure Template expansion issue impacts GitLab AI Gateway

The Duo Workflow Service component of GitLab AI Gateway before versions 18.6.2, 18.7.1, and 18.8.1 is vulnerable to insecure template expansion of user supplied data via crafted Duo Agent Platform Flow definitions. Authenticated access to the GitLab instance is required. This vulnerability could be used to cause Denial of Service or gain code execution on the Gateway.

Impacted Versions: GitLab AI Gateway: all versions from 18.1.6, 18.2.6, and 18.3.1 before 18.6.2, 18.7.1, and 18.8.1
CVSS 9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

This vulnerability was discovered internally by GitLab team member Joern Schneeweisz.

Updating

To update GitLab Duo Self-Hosted, see the GitLab Duo Self-Hosted install documentation.

Receive Patch Notifications

To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.

GitLab AI Gateway Critical Patch Release: 18.6.2, 18.7.1, and 18.8.1 via @gitlab Click to tweet!

Original source

GitLab releases 18.8.3, 18.7.3, and 18.6.5

Today we are releasing versions 18.8.3, 18.7.3, and 18.6.5 for GitLab Community Edition and Enterprise Edition.
This patch release delivers a set of targeted fixes focused on reliability, entitlement handling, and feature-flag consistency across GitLab Duo Agent Platform deployments.
The updates reflect real-world usage across diverse environments and usage models, and are part of the normal hardening cycle for a platform that integrates deeply with GitLab workflows, identity, and usage controls. Core agent capabilities and behaviors are unchanged. This patch release does not include any security fixes.

GitLab Community Edition and Enterprise Edition

18.8.3

• Backport of 'Pass user id to workflow service'
• Backport of 'Unlock Duo Workflow foundational flows from experimental features'
• Backport of 'Unlock Duo Workflow foundational flows from experimental features'
• Backport of 'Fix enforced_scans sync with inject_policy'
• Backport of "Open service desk issues and tickets on boards in legacy view instead of drawer"
• Backport of "Add info on UI for new Ticket work item type"
• [Backport]Fix missing Open the file to view all results' link in Zoekt
• Refactor Redis TLS options parsing to fix ActionCable configuration
• Backport of 'Fix route constraint for Credits dashboards'
• Backport of 'Fix Zoekt filter order to avoid performance regression' to 18.8
• Backport: Allow to better debug initialize connection
• Backport of 'Integrate work items into chat notifications as issue events'
• Backport of "Fixes preserving external author on work item move and clone"
• [Backport] Remove search api preload for commits scope
• Backport of "Regenerate openapi docs"

18.7.3

• Backport of 'Add FF to toggle namespace filtering for Duo Chat data'
• Backport of 'Remove duo_workflow_in_ci Feature Flag'
• Backport of 'Remove duo_workflow Feature Flag'
• Backport of 'Pass user id to workflow service'
• Backport of 'Fix enforced_scans sync with inject_policy'
• Backport of 'Fix Zoekt filter order to avoid performance regression'
• [Backport] Remove search api preload for commits scope
• [18.7] Only check optional ActionCable Redis instance if necessary

18.6.5

• Backport of 'Pass user id to workflow service'
• Fix MergeRequestDiff.verifiables scope

Important notes on upgrading

This version does not include any new migrations, and for multi-node deployments, should not require any downtime.
Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure file, which is only used for updates.

Updating

To update, check out our update page.

GitLab subscriptions

Access to GitLab Premium and Ultimate features is granted by a paid subscription.
Alternatively, sign up for GitLab.com to use GitLab's own infrastructure.

Original source

94% complete

Milestone

18.8

Issues

1266

Open:

71

•

Closed:

1195

Assets 5

Source code (zip) Download

Source code (tar.gz) Download

Source code (tar.bz2) Download

Source code (tar) Download

Other

GitLab 18.8 release post

Release notes

12 new features

4088 total badges

Software supply chain security

• Centralized credential management API for group owners (SaaS only) : System Access
• Group Owners can disable SSH keys for enterprise users (SaaS only) : System Access

Ultimate

4 new features

709 total badges

Application security testing

• C/C++ support in Advanced SAST now generally available : SAST
• Multiple Container Scanning : Container Scanning

Software supply chain security

• GitLab Duo Security Analyst Agent now generally available : Vulnerability Management , Dependency Management

Security risk management

• Auto-dismiss irrelevant vulnerabilities with vulnerability management policies : Security Policy Management

Premium

5 new features

796 total badges

• GitLab Duo Agent Platform now generally available : Duo Agent Platform
• Turn the GitLab Duo Agent Platform on or off : Duo Agent Platform
• Group access control for GitLab Duo features : Duo Agent Platform
• GitLab Duo Agent Platform for GitLab Duo Self-Hosted (offline licensing) now generally available (self-managed only) : Self-Hosted Models

Plan

• GitLab Duo Planner Agent now generally available : Portfolio Management

Core

1 new features

2459 total badges

Verify

• GitLab Runner 18.8 : GitLab Runner Core

Original source

Learn more about GitLab Patch Release: 18.8.2, 18.7.2, 18.6.4 for GitLab Community Edition (CE) and Enterprise Edition (EE).

Today, we are releasing versions 18.8.2, 18.7.2, 18.6.4 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.

Recommended Action

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.

Security fixes

Table of security fixes
Title
Severity
Denial of Service issue in in Jira Connect integration impacts GitLab CE/EE
High
Incorrect Authorization issue in Releases API impacts GitLab CE/EE
High
Unchecked Return Value issue in authentication services impacts GitLab CE/EE
High
Infinite Loop issue in Wiki redirects impacts GitLab CE/EE
Medium
Denial of Service issue in API endpoint impacts GitLab CE/EE
Medium
CVE-2025-13927 - Denial of Service issue in Jira Connect integration impacts GitLab CE/EE

• Denial of Service issue in Jira Connect integration impacts GitLab CE/EE
  GitLab has remediated an issue that could have allowed an unauthenticated user to create a denial of service condition by sending crafted requests with malformed authentication data.
  Impacted Versions: GitLab CE/EE: all versions from 11.9 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2
  CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
  Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program.
  CVE-2025-13928 - Incorrect Authorization issue in Releases API impacts GitLab CE/EE
• Incorrect Authorization issue in Releases API impacts GitLab CE/EE
  GitLab has remediated an issue that could have allowed an unauthenticated user to cause a denial of service condition by exploiting incorrect authorization validation in API endpoints.
  Impacted Versions: GitLab CE/EE: all versions from 17.7 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2
  CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
  Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program.
  CVE-2026-0723 - Unchecked Return Value issue in authentication services impacts GitLab CE/EE
• Unchecked Return Value issue in authentication services impacts GitLab CE/EE
  GitLab has remediated an issue that could have allowed an individual with existing knowledge of a victim's credential ID to bypass two-factor authentication by submitting forged device responses.
  Impacted Versions: GitLab CE/EE: all versions from 18.6 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2
  CVSS 7.4 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
  Thanks ahacker1 for reporting this vulnerability through our HackerOne bug bounty program.
  CVE-2025-13335 - Infinite Loop issue in Wiki redirects impacts GitLab CE/EE
• Infinite Loop issue in Wiki redirects impacts GitLab CE/EE
  GitLab has remediated an issue that under certain circumstances could have allowed an authenticated user to create a denial of service condition by configuring malformed Wiki documents that bypass cycle detection.
  Impacted Versions: GitLab CE/EE: all versions from 17.1 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2
  CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
  Thanks sim4n6 for reporting this vulnerability through our HackerOne bug bounty program.
  CVE-2026-1102 - Denial of Service issue in API endpoint impacts GitLab CE/EE
• Denial of Service issue in API endpoint impacts GitLab CE/EE
  GitLab has remediated an issue that could have allowed an unauthenticated user to create a denial of service condition by sending repeated malformed SSH authentication requests.
  Impacted Versions: GitLab CE/EE: all versions from 12.3 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2
  CVSS 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
  This vulnerability has been discovered internally by GitLab team member Thiago Figueiró.

Bug fixes

18.8.2
• Backport of Make external agent configurations GA
• Backport Remove GitLab Dedicated support for semantic search until it's available
• Backport of '18.8.0: Merge Request reviewer dropdown crashes and does not send request'
• Backport of 'Pass user id to workflow service'
• Backport of rake task to seed AI Catalogs with external agents
• Backport of Separate policy logic for AI Catalog Flows and Foundational Flows
18.7.2
• Backport of Fix logic for fetching occurrences related to vulnerabilties
• Backport of "Removes feature flag enablement for svc accounts"
• Backport of flaky import spec quarantine
• Backport 18.7 - Fix searchable dropdown race condition when typing fast
• Backport of Recreate p_sent_notifications.reply_key index
• Fix container_repositories index repair to handle 1-to-1 relationship
• [18.7] Fix migration health check endpoint
• Backport of 'Fix soft wrap not working due to accessibilitySupport conflict'
• Backport of 'Fix git push error for remote flows in self-managed instances'
• [Backport 18.7] Exclude Git LFS paths from Git HTTP throttling
• Backport of Correct Code Review Flow history for beta
• Backport of 'Fix Duo Chat button visibility for Amazon Q'
• Backport Allow user namespaces to be indexed in Zoekt for self-managed
• Backport of 'Disable Sidekiq retries for ClickHouse pipeline/build sync workers'
• Backport of 'Disable async_insert in build and pipeline sync operations'
• 18.7 - Remove manual from SLES-12.5-release-pulp job
18.6.4
• Backport of "Removes feature flag enablement for svc accounts"
• Backport of flaky import spec quarantine
• Backport 18.6 - Fix searchable dropdown race condition when typing fast
• Fix container_repositories index repair to handle 1-to-1 relationship
• Backport of 'Fix soft wrap not working due to accessibilitySupport conflict'
• Backport of 'Fix git push error for remote flows in self-managed instances'
• [Backport 18.6] Exclude Git LFS paths from Git HTTP throttling
• Backport-Allow user namespaces to be indexed in Zoekt for self-managed
• Backport of 'Disable Sidekiq retries for ClickHouse pipeline/build sync workers'
• Backport of 'Disable async_insert in build and pipeline sync operations'
• 18.6 - Remove manual from SLES-12.5-release-pulp job
• Start Pulp FIPS jobs after PC FIPS jobs - 18.6
• [CI] Fix the builder image tags for the check-packages jobs 18-6

Important notes on upgrading

This patch includes database migrations that may impact your upgrade process.
Impact on your installation:
• Single-node instances: This patch will cause downtime during the upgrade as migrations must complete before GitLab can start.
• Multi-node instances: With proper zero-downtime upgrade procedures, this patch can be applied without downtime.
Post-deploy migrations
The following versions include post-deploy migrations that can run after the upgrade:
• 18.7.2
To learn more about the impact of upgrades on your installation, see:
• Zero-downtime upgrades for multi-node deployments
• Standard upgrades for single-node installations

Updating

To update GitLab, see the Update page. To update GitLab Runner, see the Updating the Runner page.

Receive Patch Notifications

To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.

GitLab Patch Release: 18.8.2, 18.7.2, 18.6.4 via @gitlab Click to tweet!

Original source