Gitlab Release Notes

Learn more about GitLab Patch Release: 18.6.1, 18.5.3, 18.4.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).

Today, we are releasing versions 18.6.1, 18.5.3, 18.4.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.

Recommended Action

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.

Security fixes

Table of security fixes

• Race condition issue in CI/CD cache impacts GitLab CE/EE (High)
• Denial of Service issue in JSON input validation middleware impacts GitLab CE/EE (High)
• Authentication bypass issue in account registration impacts GitLab CE/EE (Medium)
• Denial of Service issue in HTTP response processing impacts GitLab CE/EE (Medium)
• Improper authorization issue in markdown rendering impacts GitLab EE (Medium)
• Information disclosure issue in terraform registry impacts GitLab CE/EE (Low)

Details of vulnerabilities with CVE identifiers and impact versions are provided.

Bug fixes

18.6.1

• Bump Container Registry to v4.31.1-gitlab
• Fix custom role approvers lookup for inherited users
• Fix /admin/sidekiq not loading CSS assets in Cloud Native GitLab
• Rollout search_glql_use_routing flag
• Fix BackfillTimelogsNamespace finalization order
• Move OAuth suite to test-on-cng
• Fix commitsCount variable name
• Quarantine long fast quarantined e2e tests
• Updating subscription tier for Security Analyst feature
• Fix merge request widget polling race condition
• Enable rails recipies by default [18.6 Backport]
• Add nginx['default_server_enabled'] configuration parameter
• EL10 requires SELinux and perl packages

18.5.3

• Zoekt rollout is not working properly if there is a single zoekt node available
• Move support for license name to EE
• Fix missing gitaly_context forward in BranchPushService
• Split refresh worker into new workers
• Add FF to eagerly resume jobs
• Ensure project authorizations are updated on imported inheriting project memberships
• Quarantine long time fast quarantined specs 18-5
• Fix tags api first page pagination with search
• Relax blobs complexity in favor of limiting data
• Prevent duplicate '?' in Download directory URL
• Update duo workflow service gem to 0.5
• Fix custom role approvers lookup for inherited users
• Fix /admin/sidekiq not loading CSS assets in Cloud Native GitLab
• Support nested variables expention in rules:if
• Quarantine long fast quarantined e2e tests
• Fix merge request widget polling race condition
• Enable rails recipies by default [18.5 Backport]
• Add nginx['default_server_enabled'] configuration parameter
• Fix-registry-commands-permission-for-non-docker

18.4.5

• Zoekt rollout is not working properly if there is a single zoekt node available
• Move support for license name to EE
• Quarantine long time fast quarantined specs 18-4
• Quarantine wiki specs 18-4
• Fix tags api first page pagination with search
• Relax blobs complexity in favor of limiting data
• Fix /admin/sidekiq not loading CSS assets in Cloud Native GitLab
• Quarantine long fast quarantined e2e tests
• Bump eventmachine-tail gem to version 0.6.6
• Enable rails recipies by default [18.4 Backport]
• Fix-registry-commands-permission-for-non-docker

Important notes on upgrading

This patch includes database migrations that may impact your upgrade process.

Impact on your installation:

• Single-node instances: This patch will cause downtime during the upgrade as migrations must complete before GitLab can start.
• Multi-node instances: With proper zero-downtime upgrade procedures, this patch can be applied without downtime.

Post-deploy migrations

The following versions include post-deploy migrations that can run after the upgrade:

• 18.6.1

To learn more about the impact of upgrades on your installation, see:

• Zero-downtime upgrades for multi-node deployments
• Standard upgrades for single-node installations

Updating

To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page.

Receive Patch Notifications

To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.

GitLab Patch Release: 18.6.1, 18.5.3, 18.4.5 via @gitlab Click to tweet!

Original source Report a problem

GitLab Patch Release: 18.5.2, 18.4.4, 18.3.6 for GitLab Community Edition (CE) and Enterprise Edition (EE)

Learn more about GitLab Patch Release: 18.5.2, 18.4.4, 18.3.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).

Today, we are releasing versions 18.5.2, 18.4.4, 18.3.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.

GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.

For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.

We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.

Recommended Action

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.

Security fixes

Title Severity Cross-site scripting issue in k8s proxy impacts GitLab CE/EE High Incorrect Authorization issue in workflows impacts GitLab EE Medium Information Disclosure issue in GraphQL subscriptions impacts GitLab CE/EE Medium Information Disclosure issue in access control impacts GitLab CE/EE Medium Prompt Injection issue in GitLab Duo review impacts GitLab EE Low Information Disclosure issue in packages API endpoint impacts GitLab CE/EE Low Client Side Path Traversal issue in branch names impacts GitLab EE Low Improper Access Control issue in GitLab Pages impacts GitLab CE/EE Low Denial of service issue in markdown impacts GitLab CE/EE Low CVE-2025-11224 - Cross-site scripting issue in k8s proxy impacts GitLab CE/EE - GitLab has remediated an issue that, under certain conditions, could have allowed an authenticated user to execute stored cross-site scripting through improper input validation in the Kubernetes proxy functionality. - Impacted Versions: GitLab CE/EE: all versions from 15.10 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 - CVSS 7.7 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N) - Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program - CVE-2025-11865 - Incorrect Authorization issue in workflows impacts GitLab EE - GitLab has remediated an issue that, under certain circumstances, could have allowed a user to remove Duo flows of another user. - Impacted Versions: GitLab EE: all versions from 18.1 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 - CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N) - This vulnerability has been discovered internally by GitLab team member Dylan Griffith. - CVE-2025-2615 - Information Disclosure issue in GraphQL subscriptions impacts GitLab CE/EE - GitLab has remediated an issue that could have allowed a blocked user to access sensitive information by establishing GraphQL subscriptions through WebSocket connections. - Impacted Versions: GitLab CE/EE: all versions from 16.7 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 - CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) - Thanks rogerace for reporting this vulnerability through our HackerOne bug bounty program. - CVE-2025-7000 - Information Disclosure issue in access control impacts GitLab CE/EE - GitLab has remdiated an issue in GitLab CE/EE that under specific conditions, could have allowed unauthorized users to view confidential branch names by accessing project issues with related merge requests. - Impacted Versions: GitLab CE/EE: all versions from 17.6 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 - CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) - Thanks weasterhacker for reporting this vulnerability through our HackerOne bug bounty program - CVE-2025-6945 - Prompt Injection issue in GitLab Duo review impacts GitLab EE - GitLab has remediated an issue that could have allowed an authenticated user to leak sensitive information from confidential issues by injecting hidden prompts in merge request comments. - Impacted Versions: GitLab EE: all versions from 17.9 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 - CVSS 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N) - Thanks rogerace for reporting this vulnerability through our HackerOne bug bounty program - CVE-2025-11990 - Client Side Path Traversal issue in branch names impacts GitLab EE - GitLab has remediated an issue that could have allowed an authenticated user to gain CSRF tokens by exploiting improper input validation in repository references combined with redirect handling weaknesses. - Impacted Versions: GitLab EE: all versions from 18.4 before 18.4.4, and 18.5 before 18.5.2 - CVSS 3.1 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N) - Thanks swiftee for reporting this vulnerability through our HackerOne bug bounty program - CVE-2025-6171 - Information Disclosure issue in packages API endpoint impacts GitLab CE/EE - GitLab has remediated an issue that could have allowed an authenticated user with reporter access to view branch names and pipeline details by accessing the packages API endpoint even when repository access was disabled. - Impacted Versions: GitLab CE/EE: all versions from 13.2 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 - CVSS 3.1 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N) - Thanks iamgk808 for reporting this vulnerability through our HackerOne bug bounty program - CVE-2025-7736 - Improper Access Control issue in GitLab Pages impacts GitLab CE/EE - GitLab has remediated an issue that could have allowed an authenticated user to bypass access control restrictions and view GitLab Pages content intended only for project members by authenticating through OAuth providers. - Impacted Versions: GitLab CE/EE: all versions from 17.9 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 - CVSS 3.1 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N) - Thanks mateuszek for reporting this vulnerability through our HackerOne bug bounty program - CVE-2025-12983 - Denial of service issue in markdown impacts GitLab CE/EE - GitLab has remediated an issue that could have allowed an authenticated user to cause a denial of service condition by submitting specially crafted markdown content with nested formatting patterns. - Impacted Versions: GitLab CE/EE: all versions from 16.9 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 - CVSS 3.1 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L) - Thanks phli for reporting this vulnerability through our HackerOne bug bounty program -

libxslt security updates

libxslt has been updated to version 1.1.43 which contains fixes for security vulnerabilities including CVE-2024-55549 and CVE-2025-24855

Bug fixes

18.5.2

• [18.5] Backport of "Rails: Add explicit ClickHouse check skip"
• Backport of 'rf-disable-sec-attribute-feature-flags'
• Backport E2E test: fix create project web ui 18-5
• 18.5 Backport of 'Fix query for finding existing Jira issues for vulnerabilities'
• Backport of 'Filter out group-level rules from details page'
• [18.5] Reduce cached SQL queries in /api/v4/internal/pages endpoint
• [18.5] Update dependency openssl to v3.3.2
• Update dependency simplecov-cobertura to v3
• Backport of Fix password validation exception for FIPS
• Backport of 'Fix admin_project_member policy for SAML projects related to user namespaces'
• Backport of 'Web Agentic Chat: fix calling workflowGoal on undefined'
• [Backport 18.5] Turn off Duo core widget for self-managed
• Backport of 'Fix status mapping evaluation for non-persisted current status records'
• [18.5] Upgrade Rack to 2.2.20
• Backport of Elastic rake tasks projects_not_indexed and index_projects_status could be confusing
• Backport of 'Add deleted Geo migration back'
• Backport of Allow Legacy FIPS instances to Upgrade Oauth secerets
• Backport of Zoekt Exclude forks and Include archived filters in the cache key
• [Backport 18.5] Clear tracking queues when recreating index from scratch
• [18.5 Backport] Delete failed reindexing indexes created over 30 days ago
• Backport of 'Fix redirect loop in Gitea rate limit`
• [18.5 Backport] Set http_continue_timeout to nil for s3 client
• [18.5] Fix background migration when Ghost user is missing
• Backport Support Jira Cloud and Server issue fetching
• [18.5] Fix test failure by adjusting dates to match partition range
• Backport 'Revert merge trains changes to getState GraphQL query'
• Backport 'Update merge request widget polling timeout intervals'
• [18.5] Downgrade Zeitwerk to 2.6.18
• [Backport/18.5] of Fix instance bbm for mishandled nil verification token
• Fix NGINX not routing traffic to the right server
• [18.5] Uninstall rexml 3.4.0 and ensure 3.4.4 is used
• Update redis to v7.2.11
• Bump eventmachine-tail gem to version 0.6.6
• [18.5] Upgrade Rack to 2.2.20

18.4.4

• [18.4] Backport of "Rails: Add explicit ClickHouse check skip"
• [18.4] Reduce cached SQL queries in /api/v4/internal/pages endpoint
• [18.4] Update dependency openssl to v3.3.2
• Backports branch 'tachyons-remove-ff-sha512-oauth' into 'master'
• [18.4] Update rexml to v3.4.4
• Backport of Fix password validation exception for FIPS
• Backport of 'Fix admin_project_member policy for SAML projects related to user namespaces'
• [Backport 18.4] Turn off Duo core widget for self-managed
• [18.4] Upgrade Rack to 2.2.20
• Backport of Elastic rake tasks projects_not_indexed and index_projects_status could be confusing
• Backport of 'Add deleted Geo migration back'
• Backport of 'Fix: prevent duplicate '?' in Download directory URL (use '&' for extra params)'
• Backport of Allow Legacy FIPS instances to Upgrade Oauth secrets
• Backport of 'Fix redirect loop in Gitea rate limit'
• [18.4 Backport] Set http_continue_timeout to nil for s3 client
• Backport of Update Jira integration to use token-based pagination and Support Jira Cloud and Server issue fetching
• Backport 'Revert merge trains changes to getState GraphQL query'
• Backport of Zoekt Exclude forks and Include archived filters in the cache key
• Backport 'Update merge request widget polling timeout intervals'
• [Backport/18.4] of Fix instance bbm for mishandled nil verification token
• [18.4] Uninstall rexml 3.4.0 and ensure 3.4.4 is used
• Update redis to v7.2.11
• [18.4] Upgrade Rack to 2.2.20

18.3.6

• [18.3] Reduce cached SQL queries in /api/v4/internal/pages endpoint
• [18.3] Update dependency openssl to v3.3.2
• [18.3] Update rexml to v3.4.4
• [18.3] Upgrade Rack to 2.2.20
• [18.3 Backport] Set http_continue_timeout to nil for s3 client
• Backport of 'Fix redirect loop in Gitea rate limit'
• Backport of Update Jira integration to use token-based pagination and Support Jira Cloud and Server issue fetching
• [18.3] Uninstall rexml 3.4.0 and ensure 3.4.4 is used
• Update redis to v7.2.11
• [18.3] Upgrade Rack to 2.2.20

Important notes on upgrading

This patch includes database migrations that may impact your upgrade process.

Impact on your installation:

• Single-node instances: This patch will cause downtime during the upgrade as migrations must complete before GitLab can start.
• Multi-node instances: With proper zero-downtime upgrade procedures, this patch can be applied without downtime.

Post-deploy migrations

The following versions include post-deploy migrations that can run after the upgrade:

• 18.5.2
• 18.4.4

To learn more about the impact of upgrades on your installation, see:

• Zero-downtime upgrades for multi-node deployments
• Standard upgrades for single-node installations

Updating

To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page.

Receive Patch Notifications

To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.

GitLab Patch Release: 18.5.2, 18.4.4, 18.3.6 via @gitlab Click to tweet!

Original source Report a problem

GitLab 18.6 release post

Release notes

• 25 new features
• 4051 total badges
• Software supply chain security
• Group Owners can update primary emails for enterprise users (SaaS only) : System Access
• Ultimate
• 5 new features
• 697 total badges
• Software supply chain security
• GitLab Security Analyst Agent available as a foundational agent : Vulnerability Management , Dependency Management
• Security risk management
• Security dashboard upgrade (beta on GitLab.com) : Vulnerability Management
• Warn mode in merge request approval policies (Beta) : Security Policy Management
• Security attributes (Beta) : Security Asset Inventories
• Exceptions to bypass merge request approval policies : Security Policy Management
• Premium
• 7 new features
• 779 total badges
• Exact code search in limited availability : Global Search
• GitLab MCP server available in beta : MCP Server
• Advanced search available for both issue descriptions and comments : Global Search
• Gemini 2.5 Flash model compatible with GitLab Duo Agent Platform for GitLab Duo Self-Hosted (self-managed only) : Self-Hosted Models
• Plan
• GitLab Duo Planner Agent now available by default : Team Planning
• Create
• Code Owners now supports inherited group memberships : Code Review Workflow , Source Code Management
• Webhook triggers for system-initiated approval resets : Code Review Workflow
• Core
• 12 new features
• 2454 total badges
• Rate limit for listing project and group members : Groups & Projects
• Plan
• The new GitLab UI: Designed for productivity : Design Management
• Create
• Toggle draft merge request visibility on your homepage : Code Review Workflow
• New GitLab CLI features and improvements : GitLab CLI
• Webhook notifications for merge request review re-requests : Code Review Workflow
• Web IDE support for offline GitLab Self-Managed environments (self-managed only) : Web IDE , Editor Extensions
• Verify
• CI/CD Components can reference their own metadata : Pipeline Composition
• Support dynamic job dependencies in needs:parallel:matrix : Pipeline Composition
• GitLab Runner 18.6 : GitLab Runner Core
• Package
• Helm chart registry: No more 1,000 chart limit : Package Registry
• Application security testing
• Increased rule coverage for secret push protection and pipeline secret detection : Secret Detection
• Software supply chain security
• Designate an account succession beneficiary (SaaS only) : System Access

Original source Report a problem

Milestone

18.5

Issues

2077

Open:
176

• Closed:
  1901

Assets

5

Source code (zip) Download
Source code (tar.gz) Download
Source code (tar.bz2) Download
Source code (tar) Download

Other

GitLab 18.5 release post

Release notes

• 33 new features
• 3906 total badges
• Ultimate
• 16 new features
• 692 total badges
• Application security testing
• DAST authentication scripts : DAST
• C/C++ support for Advanced SAST : SAST
• Secret validity checks is in beta : Secret Detection
• Customizable detection logic for Advanced SAST : SAST
• Advanced SAST diff-based scanning in merge requests : SAST
• Dependency scanning in limited availability : Software Composition Analysis
• Static reachability in limited availability and experimental Java support : Software Composition Analysis
• Software supply chain security
• GitLab Security Analyst Agent for Duo Agent Catalog (beta) : Vulnerability Management , Dependency Management
• Instance-wide compliance and security policy management (self-managed only) : Compliance Management , Security Policy Management
• New vulnerability management features in GitLab Duo Agentic Chat : Vulnerability Management , Dependency Management
• Control requests for external control statuses : Compliance Management
• Show only active vulnerabilities in the dependency list : Dependency Management
• Security risk management
• Expose original severity from the vulnerabilities API : Vulnerability Management
• Time windows for merge request approval policies : Security Policy Management
• Refreshed security finding statuses in the pipeline Security tab : Vulnerability Management
• Exceptions to bypass merge request approval policies : Security Policy Management
• Premium
• 8 new features
• 772 total badges
• GPT-5 now available as a model option for GitLab Duo Agentic Chat : Model Personalization
• Additional triggers for CLI agents : Duo Agent Platform
• GitLab Duo Agent Platform for GitLab Duo Self-Hosted now in beta (self-managed only) : Self-Hosted Models
• Codestral now supported for GitLab Duo Chat (Classic) (self-managed only) : Self-Hosted Models
• GPT OSS Models compatible with GitLab Duo Agent Platform for GitLab Duo Self-Hosted (self-managed only) : Self-Hosted Models
• Plan
• GitLab Duo Planner, a specialized agent and Product Manager team member (beta) : Portfolio Management
• Configure status lifecycles for issues and tasks : Team Planning
• Package
• Maven virtual registry now available in beta : Virtual Registry
• Core
• 9 new features
• 2442 total badges
• Pick up where you left off on the new personal homepage : Navigation
• Enhanced Admin area groups list (self-managed only) : Groups & Projects
• Updated navigation experience for groups : Groups & Projects
• Improved inactive item management for groups and projects : Groups & Projects
• Plan
• Format markdown tables in the plain text editor : Markdown
• View child task completion in issues : Team Planning
• Verify
• Variable expansion in environment deployment_tier : Environment Management
• GitLab Runner 18.5 : GitLab Runner Core
• Application security testing
• Increased rule coverage for secret push protection and pipeline secret detection : Secret Detection

Original source Report a problem

Learn more about GitLab Patch Release: 18.5.1, 18.4.3, 18.3.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).
Today, we are releasing versions 18.5.1, 18.4.3, 18.3.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.

Recommended Action

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.

Security fixes

Table of security fixes

• Improper access control issue in runner API impacts GitLab EE (High)
• Denial of service issue in event collection impacts GitLab CE/EE (High)
• Denial of service issue in JSON validation impacts GitLab CE/EE (High)
• Denial of service issue in upload impacts GitLab CE/EE (Medium)
• Incorrect Authorization issue in pipeline builds impacts GitLab CE (Medium)
• Business logic error issue in group memberships impacts GitLab EE (Low)
• Missing authorization issue in quick actions impacts GitLab EE (Low)

CVE-2025-11702 - Improper access control issue in runner API impacts GitLab EE

GitLab has remediated an issue that could have allowed an authenticated user with specific permissions to hijack project runners from other projects.
Impacted Versions: GitLab EE: all versions from 17.1 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1
CVSS 8.5 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)
Thanks iamgk808 for reporting this vulnerability through our HackerOne bug bounty program

CVE-2025-10497 - Denial of service issue in event collection impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an unauthenticated user to cause a denial of service condition by sending specially crafted payloads.
Impacted Versions: GitLab CE/EE: all versions from 17.10 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program

CVE-2025-11447 - Denial of service issue in JSON validation impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an unauthenticated user to cause a denial of service condition by sending GraphQL requests with crafted JSON payloads.
Impacted Versions: GitLab CE/EE: all versions from 11.0 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program

CVE-2025-11974 - Denial of service issue in upload impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an unauthenticated user to create a denial of service condition by uploading large files to specific API endpoints.
Impacted Versions: GitLab CE/EE: all versions from 11.7 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
This vulnerability has been discovered internally by GitLab team member David Fernandez

CVE-2025-11971 - Incorrect Authorization issue in pipeline builds impacts GitLab CE

GitLab has remediated an issue that could have allowed an authenticated user to trigger unauthorized pipeline executions by manipulating commits.
Impacted Versions: GitLab EE: all versions from 10.6 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1
CVSS 6.5 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N)

CVE-2025-6601 - Business logic error issue in group memberships impacts GitLab EE

GitLab has remediated an issue that under certain conditions could have allowed authenticated users to gain unauthorized project access by exploiting the access request approval workflow.
Impacted Versions: GitLab EE: all versions from 18.4 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1
CVSS 3.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N)
Thanks rhidayahh for reporting this vulnerability through our HackerOne bug bounty program

CVE-2025-11989 - Missing authorization issue in quick actions impacts GitLab EE

GitLab has remediated an issue that could have allowed an authenticated user to execute unauthorized quick actions by including malicious commands in specific descriptions.
Impacted Versions: GitLab EE: all versions from 17.6 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1
CVSS 3.7 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N)
This vulnerability has been discovered internally by GitLab team member Eva Kadlecová

Bug fixes

18.5.1

• [18.5] Downgrade redis-rb gem to v5.4.0
• [18.5] Fix connection pool errors when health check is running
• Backport: Test: dismiss duo popover
• Backport of 'Fix work item status fallback to use lifecycle-aware default'
• Support stable branch pipelines (18.5 backport)

18.4.3

• pgbouncer: Use new bitnamilegacy container registry (18.4 backport)
• [18.4] Revert discarded database pool check in load balancer
• Backport 'Fix group wiki inaccessible after deleting and creating group with the same name'
• Backport ElasticIndexBulkCronWorker throwing NoMethodError for epics
• [18.4] Fix Geo routes leaking to other specs
• Backport Allow Zoekt in Search API for blobs scope when Elasticsearch disabled
• Backport fix-agentic-chat-service-url-for-shm for 18.4 EE
• Backport Zoekt Kaminari raises an exception if total_count gets negative
• Backport (18.4) "Update dependency @gitlab/web-ide to ^0.0.1-dev-20250925110326"
• Backport branch 'sh-fix-login-issues-ubuntu-fips' into 'master'
• Backport "Improve performance of ready to merge GraphQL query"
• [18.4] Fix flaky callout dismissal specs
• Backport: Ensure consistent approval permissions between UI, API and graphql
• Backport of 'Show whitespace message when there's nothing to show'
• [18.4] Downgrade redis-rb gem to v5.4.0
• [18.4] Fix connection pool errors when health check is running
• Backport 'Remove available auto merge strategies from ready to merge query'
• 18.4 Backport of 'Fix query for finding existing Jira issues for vulnerabilities'
• Backport: Test: dismiss duo popover
• Support stable branch pipelines (18.4 backport)

18.3.5

• pgbouncer: Use new bitnamilegacy container registry (18.3 backport)
• [18.3] Prevent session creation for sessionless users
• Backport of 'Fix Start free trial link for self-managed instances'
• Backport 'Fix SlackIntegration duplicate bug when inheriting from parent' to 18.3
• Backport ElasticIndexBulkCronWorker throwing NoMethodError for epics
• Backport of 'Recreate SlackIntegration records on descendant integration on update'
• [18.3] Fix json validation for elasticsearch_aws_role_arn
• [18.3] Fix flaky callout dismissal specs
• [18.3] Fix Geo routes leaking to other specs
• Backport (18.3) "Update dependency @gitlab/web-ide to ^0.0.1-dev-20250925110326"
• Backport of 'Show whitespace message when there's nothing to show'
• [18.3] Downgrade redis-rb gem to v5.4.0
• Backport: Test: dismiss duo popover 18-3
• Support stable branch pipelines (18.3 backport)

Important notes on upgrading

These versions do not include any new migrations, and for multi-node deployments, should not require any downtime.
Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure file, which is only used for updates.

Updating

To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page.

Receive Patch Notifications

To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.

Original source Report a problem

Added (1 change)

• Remove check_f02a3f53bf not null constraint

Fixed (3 changes)

• Prevent session creation for sessionless users
• Remove non Saas instances from calling CDOT for trial duration GitLab Enterprise Edition
• Transfer start and due dates data upon work item move or clone

Security (5 changes)

• Log JSON bytesize as well (merge request)
• Adjust complexity for blob data fields (merge request)
• Some mutations have read_api scope (merge request)
• Reject irrelevant 1xx responses (merge request)
• Restrict manual variables to explicit guests in internal projects (merge request)

Original source Report a problem

GitLab Patch Release: 18.4.2, 18.3.4, 18.2.8

Learn more about GitLab Patch Release: 18.4.2, 18.3.4, 18.2.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).
Today, we are releasing versions 18.4.2, 18.3.4, 18.2.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.

Recommended Action

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.

Security fixes

Table of security fixes
Title Severity
Incorrect authorization issue in GraphQL mutations impacts GitLab EE High
Denial of Service issue in GraphQL blob type impacts GitLab CE/EE High
Missing authorization issue in manual jobs impacts GitLab CE/EE Medium
Denial of Service issue in webhook endpoints impacts GitLab CE/EE Medium
CVE-2025-11340 - Incorrect authorization issue in GraphQL mutations impacts GitLab EE
GitLab has remediated an issue that, under certain conditions, could have allowed authenticated users with read-only API tokens to perform unauthorized write operations on vulnerability records by exploiting incorrectly scoped GraphQL mutations.
Impacted Versions: GitLab EE: all versions from 18.3 to 18.3.4, 18.4 to 18.4.2
CVSS: 7.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N)
This vulnerability has been discovered internally by GitLab team member Brian Williams.
CVE-2025-10004 - Denial of Service issue in GraphQL blob type impacts GitLab CE/EE
GitLab has remediated an issue that could make the GitLab instance unresponsive or degraded by sending crafted GraphQL queries requesting large repository blobs.
Impacted Versions: GitLab CE/EE: all versions from 13.12 to 18.2.8, 18.3 to 18.3.4, and 18.4 to 18.4.2
CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program.
CVE-2025-9825 - Missing authorization issue in manual jobs impacts GitLab CE/EE
GitLab has remediated an issue that could have allowed authenticated users without project membership to view sensitive manual CI/CD variables by querying the GraphQL API.
Impacted Versions: GitLab CE/EE: all versions from 13.7 to 18.2.8, 18.3 before 18.3.4, and 18.4 before 18.4.2
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
CVE-2025-2934 - Denial of Service issue in webhook endpoints impacts GitLab CE/EE
GitLab has remediated an issue impacting an upstream Ruby Core library that could have allowed an authenticated user to create a denial of service condition by configuring malicious webhook endpoints that send crafted HTTP responses. This issue was reported to Ruby Core maintainers on July 17, 2025.
Impacted Versions: GitLab CE/EE: all versions from 5.2 prior to 18.2.8, 18.3 prior to 18.3.4, and 18.4 prior to 18.4.2
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)
Thanks ppee for reporting this vulnerability through our HackerOne bug bounty program.

Bug fixes

18.4.2

• Backport of 'Added safety chaining to pipeline helper'
• Workhorse: Improve large HTTP handling for DWS proxy
• Backport of 'Fix: no implicit conversion of String into Array' in Geo::Event workers
• Backport: Fix agentic chat
• [18.4] Clear detached partitions before tests run
• Backport 'Fixes target projects endpoint 404 on compare revisions view'
• Transfer start and due dates data upon work item move or clone
• Backport of 'Fix reassignment dropdown in CE'
• Transfer health status data upon work item move or clone
• Backport of Revert "Merge branch 'ai-catalog-item-consumers-graphql' into 'master'"
• Backport of CI_MERGE_REQUEST_DIFF_BASE_SHA not updating on branch change
• Backport of "Use key-value structure in Release Environment MR label script"
• Backport of 'Fix Start free trial link for self-managed instances'
• Update dependency gitlab-fog-azure-rm to '~> 2.4.0'
• Backport of 'Remove non Saas instances from calling CDOT for trial duration'
• Backport of 'Remove check_f02a3f53bf not null constraint'
• 18.4 backport of 'Remove unknown licenses from sbom dependency list export'
• [18.4] Fix json validation for elasticsearch_aws_role_arn
• Backport: Change the model selection FF used for self managed
• [18.4] Prevent session creation for sessionless users
• Add a gitlab::config alias for package::config recipe
  18.3.4
• Workhorse: Improve large HTTP handling for DWS proxy
• [18.3] Clear detached partitions before tests run
• Backport 'Fixes target projects endpoint 404 on compare revisions view'
• Transfer start and due dates data upon work item move or clone
• Backport of 'Fix reassignment dropdown in CE'
• Transfer health status data upon work item move or clone
• Backport of "Use key-value structure in Release Environment MR label script"
• Update dependency gitlab-fog-azure-rm to '~> 2.4.0'
• Backport of 'Remove non Saas instances from calling CDOT for trial duration'
• 18.3 backport of 'Remove unknown licenses from sbom dependency list export'
• Update docs hugo jobs' image to use latest image
  18.2.8
• [18.2] Allow elastic client adapter to be set
• [18.2] Clear detached partitions before tests run
• Transfer start and due dates data upon work item move or clone
• Backport of 'Fix reassignment dropdown in CE'
• Transfer health status data upon work item move or clone
• Backport of "Use key-value structure in Release Environment MR label script"
• Update dependency gitlab-fog-azure-rm to '~> 2.4.0'
• [18.2] Fix json validation for elasticsearch_aws_role_arn
• 18.2 backport of 'Remove unknown licenses from sbom dependency list export'
• Backport of 'Fix Start free trial link for self-managed instances'
• Update docs hugo jobs' image to use latest image

Important notes on upgrading

This patch includes database migrations that may impact your upgrade process.
Impact on your installation:

• Single-node instances: This patch will cause downtime during the upgrade as migrations must complete before GitLab can start.
• Multi-node instances: With proper zero-downtime upgrade procedures, this patch can be applied without downtime.

Post-deploy migrations

The following versions include post-deploy migrations that can run after the upgrade:

• 18.4.2

To learn more about the impact of upgrades on your installation, see:

• Zero-downtime upgrades for multi-node deployments
• Standard upgrades for single-node installations

Updating

To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page.

Receive Patch Notifications

To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.

GitLab Patch Release: 18.4.2, 18.3.4, 18.2.8 via @gitlab Click to tweet!

Original source Report a problem

Milestone 18.2

Issues

• Open: 100
• Closed: 2045

Assets

• 5

Source code

• (zip) Download
• (tar.gz) Download
• (tar.bz2) Download
• (tar) Download

Other

GitLab 18.2 release post

Release notes

• 35 new features
• 3814 total badges

Ultimate

• 18 new features
• 661 total badges

Package

• Improve security with immutable container tags (Beta) : Container Registry
• Application security testing
• Container Scanning support for multi-architecture container images : Software Composition Analysis
• Static reachability support for JavaScript : Software Composition Analysis
• Improved support for verifying successful DAST login : DAST
• DAST support for time-based one-time password MFA : DAST
• Software supply chain security
• New group overview compliance dashboard : Compliance Management
• Deactivate streaming to an audit streaming destination : Audit Events
• Filter functionality for all audit streaming destinations : Compliance Management
• Credentials inventory now includes service account tokens : System Access
• Custom admin role in beta (self-managed only) : Permissions
• Security risk management
• Download a PDF export of security reports
• Centralized Security Policy Management (Beta) (self-managed only) : Security Policy Management
• Vulnerability ID added to vulnerability report CSV export
• Reachability filter in the vulnerability report : Vulnerability Management
• Vulnerability GraphQL API returns additional information : Vulnerability Management
• Source branch pattern exceptions for approval policies : Security Policy Management
• Display dependency paths : Dependency Management
• Security Inventory for comprehensive asset visibility now in beta : Security Asset Inventories

Premium

• 9 new features

• 744 total badges

• Duo Agent Platform in the IDE (Beta) : Editor Extensions

• Group and project controls for Premium and Ultimate with GitLab Duo : Code Suggestions , Duo Chat

• Mistral Small now available for GitLab Duo Self-Hosted (self-managed only) : Self-Hosted Models

Plan

• Custom workflow statuses for issues and tasks : Team Planning
• Configure epic display preferences : Portfolio Management
• Open epics in a drawer or the full page on the Epics page : Portfolio Management
• Assign milestones to epics for enhanced long-term planning : Portfolio Management
• Assign epics to team members : Portfolio Management

Create

• Map workspace Kubernetes agents for the instance (self-managed only) : Workspaces

Core

• 8 new features
• 2409 total badges
• Administrators can reassign contributions without user confirmation (self-managed only) : Importers
• Reassign from placeholder users to inactive users (self-managed only) : Importers

Plan

• Sorting and pagination for GLQL views : Wiki , Team Planning
• Work item references and editor improvements for GitLab Flavored Markdown : Markdown

Create

• New merge request homepage : Code Review Workflow

Verify

• GitLab Runner 18.2 : GitLab Runner Core
• Application security testing
• Improved archive file support for Container Scanning : Software Composition Analysis
• Software supply chain security
• Fine-grained permissions for CI/CD job tokens : Permissions
• SSH key security warnings : System Access

Original source Report a problem

GitLab 18.1 release post

Release notes

• 98% complete

• Milestone

• 18.1

• Issues

• 2273

• Open:

• 56

• • Closed:

• 2217

• Assets 5

• • Source code (zip) Download
• • Source code (tar.gz) Download
• • Source code (tar.bz2) Download
• • Source code (tar) Download
• • Other

• 25 new features

• 3897 total badges

• Software supply chain security

• Compromised password detection for native GitLab credentials (SaaS only) : System Access

• Ultimate

• 9 new features

• 643 total badges

• Application security testing

• DAST detection parity with secret detection default rules : DAST

• PHP support for Advanced SAST : SAST

• Software supply chain security

• Define a Name for external custom controls : Compliance Management

• Pagination for requirements in compliance frameworks UI : Compliance Management

• UI performance and filtering improvements for compliance center : Compliance Management

• Control status pop-up in the compliance status report : Compliance Management

• Increased SAST coverage for Duo Vulnerability Resolution : Vulnerability Management

• Security risk management

• Filter by component version in the dependency list

• Variable precedence controls in pipeline execution policies : Security Policy Management

• Premium

• 7 new features

• 735 total badges

• Multiple matches per file in code search

• Plan

• Epic support for GitLab Query Language views Beta : Wiki , Team Planning

• Create

• Enhanced CODEOWNERS file validation with permission checks : Source Code Management

• Custom workspace initialization with postStart events : Workspaces

• Duo Code Review is now generally available : Code Review Workflow

• Package

• Maven virtual registry now available in beta : Virtual Registry

• Software supply chain security

• Subscribe to service account pipeline notifications : System Access

• Core

• 8 new features

• 2401 total badges

• New accessLevels argument for projectMembers in GraphQL API : Groups & Projects

• Create

• Enhanced merge request review experience with review panel : Code Review Workflow

• View downstream pipeline job logs in VS Code : Editor Extensions

• Verify

• GitLab Runner 18.1 : GitLab Runner Core

• Software supply chain security

• View inactive personal access tokens : System Access

• Filter for bot and human users (self-managed only) : System Access

• ORCID identifier in user profile : User Profile

• Achieve SLSA Level 1 compliance with CI/CD components : Artifact Security

Original source Report a problem

GitLab 18.0 release post

Release notes

• 97% complete
• Milestone
• 18.0
• Issues
• 1940
• Open:
• 49
• •
• Closed:
• 1891
• Assets 5
• Source code (zip) Download
• Source code (tar.gz) Download
• Source code (tar.bz2) Download
• Source code (tar) Download
• Other
• GitLab 18.0 release post
• Release notes
• 35 new features
• 3872 total badges
• Ultimate
  • 6 new features
  • 634 total badges
  • Internal releases available for GitLab Dedicated (self-managed only) : GitLab Dedicated
  • Software supply chain security
  • New permissions for custom roles : Permissions
  • Security risk management
  • Exclude packages from license approval rules : Security Policy Management
  • Configure Jira issues from vulnerabilities using the Jira integration API
  • Improved traceability of redetected vulnerabilities
  • Bulk add vulnerabilities to issues from the vulnerability report : Vulnerability Management
• Premium
  • 12 new features
  • 728 total badges
  • GitLab Premium and Ultimate with Duo : Code Suggestions , Duo Chat
  • Repository X-Ray now available for GitLab Duo Self-Hosted (self-managed only) : Self-Hosted Models
  • List only Enterprise users for contributions reassignment on GitLab.com : Importers
• Create
  • Automatic reviews with Duo Code Review : Code Review Workflow
  • Code Suggestions prompt caching : Code Suggestions
  • Improved Duo Code Review context : Code Review Workflow
  • Create a workspace from merge requests : Workspaces
  • Shared Kubernetes namespace for workspaces : Workspaces
• Software supply chain security
  • Display and filter archived projects in the compliance projects report : Compliance Management
  • Disable user invitations : System Access
  • LDAP authentication with GitLab username (self-managed only) : System Access
  • Support for SHA256 SAML certificates : System Access
• Core
  • 16 new features
  • 2393 total badges
  • Improved pod status visualizations in the dashboard for Kubernetes
  • Support for multiple workspaces in the GitLab for Slack app (self-managed only) : Integrations
  • Delete groups and placeholder users : Importers
  • GitLab chart 9.0 released with breaking changes (self-managed only) : Cloud Native Installation , Omnibus Package
  • Deletion protection available for all users : Groups & Projects
  • Delayed project deletion for user namespaces : Groups & Projects
  • New active parameter for Groups and Projects REST APIs : Groups & Projects
• Plan
  • GitLab Query Language views enhancements : Wiki , Team Planning
  • Pages template improvements : Pages
• Create
  • View open merge requests targeting files : Source Code Management
• Verify
  • New CI/CD analytics view for projects in limited availability : Fleet Visibility
  • GitLab Runner 18.0 : GitLab Runner Core
• Application security testing
  • Security scanners now support MR pipelines : API Security , Container Scanning , DAST , Fuzz Testing , SAST , Secret Detection , Software Composition Analysis
• Software supply chain security
  • Limit maximum user session length (self-managed only) : System Access
  • Granular permissions for job tokens in beta : Permissions
• Monitor
  • Event data collection (self-managed only) : Application Instrumentation

Original source Report a problem