Gitlab Release Notes

GitLab 18.4 release post

Milestone

• 18.4
• Issues
• 2145
• Open: 221
• Closed: 1924
• Assets 5
• Source code (zip) Download
• Source code (tar.gz) Download
• Source code (tar.bz2) Download
• Source code (tar) Download
• Other

Release notes

• 25 new features
• 3993 total badges
• Create
  • Bypass confirmation for enterprise users when reassigning placeholders (SaaS only) : Importers
  • Ultimate
  • 4 new features
  • 676 total badges
  • Expanded AWS region support for GitLab Dedicated (self-managed only) : GitLab Dedicated , Switchboard
  • Application security testing
  • Significantly faster Advanced SAST scanning : SAST
  • Operational Container Scanning severity threshold configuration : Software Composition Analysis
  • Security risk management
  • Vulnerability details shows the auto-resolve pipeline ID
• Premium
  • 9 new features
  • 764 total badges
  • GitLab Duo Model Selection now generally available : Model Personalization
  • End user model selection now available with GitLab Duo : Model Personalization
  • GitLab Duo context exclusion : Duo Agent Platform , Duo Chat , Code Suggestions , Vulnerability Management
  • GitLab Duo AI Catalog : Duo Agent Platform , Duo Chat
  • GitLab Duo Agent Platform now available on GitLab Duo Self-Hosted (self-managed only) : Self-Hosted Models
  • Automatic Duo Code Review for groups and applications : Code Review Workflow
  • Additional supported models for GitLab Duo Self-Hosted (self-managed only) : Self-Hosted Models
  • Duo Code Review on GitLab Duo Self-Hosted is generally available (self-managed only) : Code Suggestions , Self-Hosted Models
• Plan
  • Issue boards now show complete epic hierarchies : Portfolio Management
  • Core
  • 11 new features
  • 2433 total badges
  • GitLab Knowledge Graph : Duo Agent Platform , Duo Chat , Code Suggestions , Vulnerability Management
  • Publish OpenTofu modules and providers to the GitLab container registry with CI/CD templates : Infrastructure as Code
  • Plan
  • Configure how to view issues from the Issues page : Portfolio Management
  • Enhanced parent filtering for epic and issue lists : Portfolio Management
  • Text editors toolbar parity : Markdown
• Verify
  • Simulate CI/CD Pipelines against different branch : Pipeline Composition
  • GitLab Runner 18.4 : GitLab Runner Core
• Application security testing
  • Pipeline secret detection now excludes certain files and directories by default : Secret Detection
  • Secret detection analyzer Git fetching improvements : Secret Detection
• Software supply chain security
• CI/CD job tokens can authenticate Git push requests : System Access
• Enhanced controls for who can download job artifacts : Artifact Security

GitLab Patch Release: 18.4.1, 18.3.3, 18.2.7 for GitLab Community Edition (CE) and Enterprise Edition (EE)

Learn more about GitLab Patch Release: 18.4.1, 18.3.3, 18.2.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).

Today, we are releasing versions 18.4.1, 18.3.3, 18.2.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.

GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.

For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.

We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.

Recommended Action

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.

Security fixes

Table of security fixes

• Cross-site scripting issue impacts GitLab CE/EE (High severity)
• Denial of Service issue when uploading specifically crafted JSON files impacts GitLab CE/EE (High severity)
• Denial of Service issue bypassing query complexity limits impacts GitLab CE/EE (High severity)
• Information disclosure issue in virtual registery configuration for low privileged users impacts GitLab CE/EE (Medium severity)
• Privilege Escalation issue from within the Developer role impacts GitLab EE (Medium severity)
• Denial of Service issue in GraphQL API via Unbounded Array Parameters impacts GitLab CE/EE (Medium severity)
• Improper Authorization issue for Project Maintainers when assigning roles impacts GitLab EE (Low severity)
• Denial of Service issue in GraphQL API blobSearch impacts GitLab CE/EE (Low severity)
• Incorrect ownership assignment via Move Issue drop-down impacts GitLab CE/EE (Low severity)
• Denial of Service issue via string conversion methods impacts GitLab CE/EE (Low severity)

Details of key CVEs and fixes are provided, including impacted versions and CVSS scores.

PostgreSQL security updates: PostgreSQL has been updated to version 16.10 which contains fixes for security vulnerabilities including CVE-2025-8713, CVE-2025-8714 and CVE-2025-8715.

Bug fixes are listed for versions 18.4.1, 18.3.3, and 18.2.7 with various backports and fixes.

Important notes on upgrading:

These versions do not include any new migrations, and for multi-node deployments, should not require any downtime. Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure file, which is only used for updates.

Updating:

To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page.

Receive Patch Notifications:

To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.

Learn more about GitLab Patch Release: 18.3.2, 18.2.6, 18.1.6 for GitLab Community Edition (CE) and Enterprise Edition (EE). Today, we are releasing versions 18.3.2, 18.2.6, 18.1.6 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action. GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here. For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible. When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected. Security fixes Table of security fixes Title Severity Denial of Service issue in SAML Responses impacts GitLab CE/EE High Server-Side Request Forgery issue in Webhook custom header impacts GitLab CE/EE High Denial of Service issue in User-Controllable Fields impacts GitLab CE/EE Medium Denial of Service issue in endpoint file upload impacts GitLab CE/EE Medium Denial of Service issue in token listing operations impacts GitLab CE/EE Medium Information disclosure issue in runner endpoints impacts GitLab CE/EE Medium CVE-2025-2256 - Denial of Service issue in SAML Responses impacts GitLab CE/EE GitLab has remediated an issue that could have allowed unauthorized users to render the GitLab instance unresponsive to legitimate users by sending multiple concurrent large SAML responses. Impacted Versions: GitLab CE/EE: all versions from 7.12 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Thanks yuki_osaki for reporting this vulnerability through our HackerOne bug bounty program. CVE-2025-6454 - Server-Side Request Forgery issue in Webhook custom header impacts GitLab CE/EE GitLab has remediated an issue that could have allowed authenticated users to make unintended internal requests through proxy environments by injecting crafted sequences. Impacted Versions: GitLab CE/EE: all versions from 16.11 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 CVSS 8.5 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H) Thanks ppee for reporting this vulnerability through our HackerOne bug bounty program. CVE-2025-1250 - Denial of Service issue in User-Controllable Fields impacts GitLab CE/EE GitLab has remediated an issue that could have allowed an authenticated user to stall background job processing by sending specially crafted commit messages, merge request descriptions, or notes. Impacted Versions: GitLab CE/EE: all versions from 15.0 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program. CVE-2025-7337 - Denial of Service issue in endpoint file upload impacts GitLab CE/EE GitLab has remediated an issue that could have allowed an authenticated user with Developer-level access to cause a persistent denial of service affecting all users on a GitLab instance by uploading large files. Impacted Versions: GitLab CE/EE: all versions from 7.8 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program. CVE-2025-10094 - Denial of Service issue in token listing operations impacts GitLab CE/EE GitLab has remediated an issue that could have allowed authenticated users to disrupt access to token listings and related administrative operations by creating tokens with excessively large names. Impacted Versions: GitLab CE/EE: all versions from 10.7 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program. CVE-2025-6769 - Information disclosure issue in runner endpoints impacts GitLab CE/EE GitLab has remediated an issue that could have allowed authenticated users to view administrator-only maintenance notes by accessing runner details through specific interfaces. Impacted Versions: GitLab CE/EE: all versions from 15.1 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) Thanks iamgk808 for reporting this vulnerability through our HackerOne bug bounty program. Bug fixes 18.3.2 • Backport of 'Ignore silent_mode in clickhouse http calls' • Backport of 'Update gitlab-shell to v14.45.0' • Revert "Merge branch 'marina.mosti-543725-reviewer-dropdown-ce' into 'master'" • Backport of "Only create ToC for headings with links" • Backport of fix webauthn authentication in Firefox - 18.3 • Backport of move delayed deletion cronjob settings to CE • Backport 'Disable gdk-update job in stable branch pipelines' • Backport update to gitlab-sshd to relax allowed algorithms for FIPS • Backport of 'Display MCP settings for root groups only' • Backport of 'Fix shared group access for advanced code search' • Backport: Fix nil error in Gitlab:Auth:IpRateLimiter • Backport 'Add Compare link to submodule diffs' to 18.3 • Backport of "Revert 'New projects don't automatically inherit from group-level'" • Backport of "Fix syncing remote stored Blobs with filenames with plus sign" • Backport of 'Make FileLocationType.endLine nullable' for 18.3 • Backport of Update csp_enabled? to always return a boolean value • Backport of Fix LdapAllAddOnSeatSyncWorker removing seats when no groups configured • Backport 'Revert gem caching only in specific pipelines' • Update gitlab-shell to v14.45.2 to allow ED25519 for FIPS • [18.3] Remove flaky spec • Backport of diff comment suggestions line range fix • Adds checksum for ruby 3.2.9 18.2.6 • Update gitlab-shell to v14.45.0 • Backport of "Only create ToC for headings with links" • Backport update to gitlab-sshd to relax allowed algorithms for FIPS • Backport 'Disable gdk-update job in stable branch pipelines' • Backport of 'Fix shared group access for advanced code search' • Backport of 'Fix Bitbucket Server Importer enqueued job count' • Backport of 'Fix: Geo::ModelMapper flakiness' • Backport 'Add Compare link to submodule diffs' to 18.2 • Backport of 'Make FileLocationType.endLine nullable' for 18.2 • Backport of Update csp_enabled? to always return a boolean value • Backport of "Fix syncing remote stored Blobs with filenames with plus sign" • Update gitlab-shell to v14.45.2 to allow ED25519 for FIPS • [18.2] Remove flaky spec • Backport 18-2: Fix spec tag name source 18.1.6 • Backport of 'Fix cannot load such file – gitlab' • Backport of Fix 'Bitbucket Server Importer enqueued job count' • Backport of 'Make FileLocationType.endLine nullable' for 18.1 Important notes on upgrading These versions do not include any new migrations, and for multi-node deployments, should not require any downtime. Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure file, which is only used for updates. Updating To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page. Receive Patch Notifications To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases. GitLab Patch Release: 18.3.2, 18.2.6, 18.1.6 via @gitlab Click to tweet!

GitLab Patch Release: 18.3.1, 18.2.5, 18.1.5

Learn more about GitLab Patch Release: 18.3.1, 18.2.5, 18.1.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).

Today, we are releasing versions 18.3.1, 18.2.5, 18.1.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.

GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.

For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.

We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.

Recommended Action

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.

Security fixes

Table of security fixes

Title Severity

Allocation of Resources Without Limits issue in import function impacts GitLab CE/EE Medium

Missing authentication issue in GraphQL endpoint impacts GitLab CE/EE Medium

Allocation of Resources Without Limits issue in GraphQL impacts GitLab CE/EE Medium

Code injection issue in GitLab repositories impacts GitLab CE/EE Medium

CVE-2025-3601 - Allocation of Resources Without Limits issue in import function impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an authenticated user to cause a Denial of Service (DoS) condition by submitting URLs that generate excessively large responses.

Impacted Versions: GitLab CE/EE: all versions from 8.15 before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1

CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Thanks nermalt for reporting this vulnerability through our HackerOne bug bounty program.

CVE-2025-2246 - Missing authentication issue in GraphQL endpoint impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed unauthenticated users to access sensitive manual CI/CD variables by querying the GraphQL API.

Impacted Versions: GitLab CE/EE: all versions before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1

CVSS: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)

Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program.

CVE-2025-4225 - Allocation of Resources Without Limits issue in GraphQL impacts GitLab CE/EE

GitLab has remediated an issue that under certain conditions could have allowed an unauthenticated attacker to cause a denial-of-service condition affecting all users by sending specially crafted GraphQL requests.

Impacted Versions: GitLab CE/EE: all versions from 14.1 before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1

CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program.

CVE-2025-5101 - Code injection issue in GitLab repositories impacts GitLab CE/EE

GitLab has remediated an issue that under certain conditions could have allowed an authenticated attacker to distribute malicious code that appears harmless in the web interface by taking advantage of ambiguity between branches and tags during repository imports.

Impacted Versions: GitLab CE/EE: all versions before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1

CVSS: 5.0 (CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N).

Thanks st4nly0n for reporting this vulnerability through our HackerOne bug bounty program.

Bug fixes

18.3.1

• [Backport 18.3] Making changes for container scanning for SBOMs
• Backport of 'Fix cannot load such file – gitlab'
• Backport: Fix namespace issue preventing Ci::Build filtering optimization
• Backport of "Dependency Path creation with path caching"
• Fix trusted proxies regression when hostname is specified
• Backport of E2E test: use correct checkbox method
• Update Mattermost to v10.10.2

18.2.5

• [Backport 18.2] Making changes for container scanning for SBOMs
• [18.2] Fix flaky specs due to label ordering
• Backport 'Danger to fail backport MRs without descriptive title'
• Backport bug - Fix mutations of frozen object in feature_setting.rb
• Add stage check for agentic chat
• Backport of 'update the active_add_on_purchase check to include self-managed check'
• Backport of "Create noop pipeline template compatible with test-on-omnibus"
• Backport of 'Fix cannot load such file – gitlab'
• Backport of E2E test: use correct checkbox method
• Backport of 'Ignore silent_mode in clickhouse http calls'

18.1.5

• Backport "Danger to not error when e2e:test-on-omnibus-ee job not present for only QA changes" to 18.1
• Backport Set :throttled urgency for GlobalAdvisoryScanWorker
• Backport 'Add job and script to update backport MR label after deployment'
• Backport 'Update gitlab-chart digest to 9d9e150'
• Backport of 'fix missing ref attribute'
• [18.1] Fix flaky specs due to label ordering
• Backport 'Danger to fail backport MRs without descriptive title'
• Backport of 'update the active_add_on_purchase check to include self-managed check'
• Backport of E2E test: use correct checkbox method
• Backport of "Create noop pipeline template compatible with test-on-omnibus"

Important notes on upgrading

These versions do not include any new migrations, and for multi-node deployments, should not require any downtime.

Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure file, which is only used for updates.

Updating

To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page.

Receive Patch Notifications

To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.

GitLab Patch Release: 18.3.1, 18.2.5, 18.1.5 via @gitlab Click to tweet!

GitLab releases 18.2.4

Today we are releasing versions 18.2.4 for GitLab Community Edition and Enterprise Edition. These versions resolve a number of regressions and bugs. This patch release does not include any security fixes.

GitLab Community Edition and Enterprise Edition

18.2.4

• Build with Go 1.24.5
• Update golang-fips/go
• Update gitlab-shell to v14.44.0
• Backport "Use projectRootPath to compose breadcrumb links"
• Backport "Add custom encoding for repository path for commit data"
• Backport 'Fixes reviewer drawer not opening when installed under relative URL'
• Backport-Invalid search request resets the project/group selections in sidebar
• Backport 'Update gitlab-chart digest to 9d9e150'
• Exclude deleted projects from job token authorization logs graphql and csv export service backport to 18.2
• Backport 'Add job and script to update backport MR label after deployment'
• Backport of "Fix undefined method markdown_placeholders_feature_flag_enabled? for a ProjectNamespace"
• Backport of 'fix missing ref attribute'

Important notes on upgrading

This version does not include any new migrations, and for multi-node deployments, should not require any downtime. Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure file, which is only used for updates.

Updating

To update, check out our update page. Note: GitLab releases have skipped 18.2.3. There is no patch with that version number.

GitLab subscriptions

Access to GitLab Premium and Ultimate features is granted by a paid subscription. Alternatively, sign up for GitLab.com to use GitLab's own infrastructure.

GitLab Patch Release: 18.2.4 via @gitlab Click to tweet!

GitLab releases 17.11.7

Today we are releasing version 17.11.7 for GitLab Community Edition and Enterprise Edition.
These versions resolve a number of regressions and bugs. This patch release does not include any security fixes.

GitLab Community Edition and Enterprise Edition

17.11.7

• Backport 'Replace test-on-gdk with test-on-cng in backport mr pipelines'
• Quarantine failing DORA Metrics dashboard tests (target single context)
• Backport of "Ensure docs hugo_build CI job uses docs-gitlab-com stable branches"
• Backport of 'Make sure cache is clear to prevent failure during upgrade from 17.11'
• Update dependency container-registry to v4.19.2-gitlab

Important notes on upgrading

This version does not include any new migrations, and for multi-node deployments, should not require any downtime.
Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure file, which is only used for updates.

Updating

To update, check out our update page.

GitLab subscriptions

Access to GitLab Premium and Ultimate features is granted by a paid subscription.
Alternatively, sign up for GitLab.com to use GitLab's own infrastructure.

GitLab Patch Release

Learn more about GitLab Patch Release: 18.2.2, 18.1.4, 18.0.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).

Today, we are releasing versions 18.2.2, 18.1.4, 18.0.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.

GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.

For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.

We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.

Recommended Action

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.

Security fixes

Table of security fixes

• Cross-site scripting issue in blob viewer impacts GitLab CE/EE (High)
• Cross-site scripting issue in labels impacts GitLab CE/EE (High)
• Cross-site scripting issue in Workitem impacts GitLab CE/EE (High)
• Improper Handling of Permissions issue in project API impacts GitLab CE/EE (High)
• Incorrect Privilege Assignment issue in delete issues operation impacts GitLab CE/EE (Medium)
• Allocation of Resources Without Limits issue in release name creation impacts GitLab CE/EE (Medium)
• Incorrect Authorization issue in jobs API impacts GitLab CE/EE (Medium)
• Authorization issue in Merge request approval policy impacts GitLab EE (Medium)
• Inefficient Regular Expression Complexity issue in wiki impacts GitLab CE/EE (Medium)
• Allocation of Resources Without Limits issue in Mattermost integration impacts GitLab CE/EE (Medium)
• Incorrect Permission Assignment issue in ID token impacts GitLab CE/EE (Medium)
• Insufficient Access Control issue in IP Restriction impacts GitLab EE (Medium)

Details on each CVE are provided with impact, CVSS scores, and acknowledgments to reporters.

Bug fixes

18.2.2

• [backport] bug: Fixed double message bug
• Backport of 'Remove full instance test suite execution from omnibus pipeline'
• Backport 'Replace test-on-gdk with test-on-cng in backport mr pipelines'
• [18.2] Fix hardcoded GitLab version in spec
• Backport of 'Exclude release environments from QA live envs'
• [18.2 backport] Fix flaky epic deletion specs
• [Backport 18.2] Add pause_control to Elastic delete workers
• Backport of Skip Geo secondary for SyncProjectPolicyWorker
• Backport of "Add outbound allowlist to allowed endpoints for SSRF filter"
• Backport of Revert "Remove FF for SSRF protection for dependency proxy"
• Backport of 'New projects inherit parent value for duo_features_enabled'
• Backport of 'Add missing elasticsearch_indexing checks to workers'
• [18.2] Fix flaky work item spec
• [backport] of Fix: include relative URL root in PDF worker and cMap paths
• Ensure docs hugo_build CI job uses docs-gitlab-com stable branches
• Backport of 'Fix: validation errors for Duo settings when creating project'
• Backport quarantine broken user signups cap alert test
• Backport ruby gem caching improvements
• Fix another case where Sidekiq can take too long to shut down
• Backport of 'Filter out NULL values'
• Backport 'Decouple node-modules caching from any specific branch'
• Backport of 'Simplify db:check-schema CI job'
• backport fix to use right primary key for ci_job_artifact_states
• [Backport 18.2] Fix shared group access in advanced search code scope
• Backport 'Danger to allow backport of maintenance type changes' to 18-2
• backport: Fix Web IDE loading race condition
• Backport of Fix numpad enter not working for revision compare dropdown
• Backport fix case insensitivity in codeowners
• [18.2] Fix flaky note scope spec
• Backport 556582-link-to-project-not-working-when-gitlab-hosted-in-subpath-after-upgrade-to-18-2
• Backport fix: Detect CORS problems in Web IDE
• Backport "Danger to not error when e2e:test-on-omnibus-ee job not present for only QA changes" to 18.2
• Backport "Use projectRootPath to compose breadcrumb links"
• Backport of 'Use CI_COMMIT_TAG to check on_tag?'
• Fix deprecation check failing on nil values

18.1.4

• Backport of 'Remove full instance test suite execution from omnibus pipeline'
• Backport 'Replace test-on-gdk with test-on-cng in backport mr pipelines'
• [18.1 backport] Fix flaky epic deletion specs
• Backport of 'Exclude release environments from QA live envs'
• Backport of Skip Geo secondary for SyncProjectPolicyWorker
• [Backport 18.1] Add pause_control to Elastic delete workers
• Backport of Revert "Remove FF for SSRF protection for dependency proxy"
• Backport of "Update VERSION file for 18.1.3-internal0"
• Backport of 'Add missing elasticsearch_indexing checks to workers'
• [18.1] Fix flaky work item spec
• [backport] of Fix: include relative URL root in PDF worker and cMap paths
• Backport of "Add repair index tool", Backport of "Filter out NULL values", Backport of "Add documentation for IndexRepair task"
• Ensure docs hugo_build CI job uses docs-gitlab-com stable branches
• Backport ruby gem caching improvements
• Fix another case where Sidekiq can take too long to shut down
• Backport of 'Simplify db:check-schema CI job'
• Backport 'Decouple node-modules caching from any specific branch'
• backport fix to use right primary key for ci_job_artifact_states
• Backport of Fix numpad enter not working for revision compare dropdown
• Backport 'Danger to allow backport of maintenance type changes' to 18-1
• Backport "Use projectRootPath to compose breadcrumb links"
• Backport fix case insensitivity in codeowners
• Backport of 'Use CI_COMMIT_TAG to check on_tag?'

18.0.6

• [18.0 backport] Fix flaky epic deletion specs
• Backport of 'Exclude release environments from QA live envs'
• Backport of 'Run QA on GET release environment'
• [Backport 18.0] Add pause_control to Elastic delete workers
• [18.0] Fix flaky work item spec
• Ensure docs hugo_build CI job uses docs-gitlab-com stable branches
• Fix another case where Sidekiq can take too long to shut down
• Backport of "Add repair index tool", Backport of "Filter out NULL values", Backport of "Add documentation for IndexRepair task"
• Backport of 'Simplify db:check-schema CI job'
• [backport] 'tbulva-zoekt-url-reset' into 18.0
• backport fix to use right primary key for ci_job_artifact_states
• Backport ruby gem caching improvements
• Backport 'Danger to allow backport of maintenance type changes' to 18-0
• Backport[18.0] Removing check for project and framework for self managed instances
• Backport 'Decouple node-modules caching from any specific branch'
• Backport fix case insensitivity in codeowners
• Backport of 'Use CI_COMMIT_TAG to check on_tag?'

Important notes on upgrading

This patch includes database migrations that may impact your upgrade process.

Impact on your installation:

• Single-node instances: This patch will cause downtime during the upgrade as migrations must complete before GitLab can start.
• Multi-node instances: With proper zero-downtime upgrade procedures, this patch can be applied without downtime.

Regular migrations

The following versions include regular migrations that run during the upgrade process:

• 18.2.2
• 18.1.4
• 18.0.6

Post-deploy migrations

The following versions include post-deploy migrations that can run after the upgrade:

• 18.2.2
• 18.1.4
• 18.0.6

To learn more about the impact of upgrades on your installation, see:

• Zero-downtime upgrades for multi-node deployments
• Standard upgrades for single-node installations

Updating

To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page.

Receive Patch Notifications

To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.

GitLab Patch Release: 18.2.2, 18.1.4, 18.0.6 via @gitlab Click to tweet!

GitLab Patch Release: 18.2.1, 18.1.3, 18.0.5

Learn more about GitLab Patch Release: 18.2.1, 18.1.3, 18.0.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).

Today, we are releasing versions 18.2.1, 18.1.3, 18.0.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.

GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.

For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.

We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.

Recommended Action

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.

Security fixes

Table of security fixes

• Cross-site scripting (XSS) impacts k8s proxy in GitLab CE/EE (High)
• Cross-site scripting (XSS) impacts k8s proxy in GitLab CE/EE using CDNs (High)
• Exposure of Sensitive Information to an Unauthorized Actor issue impacts GitLab CE/EE (Medium)
• Improper Access Control issue impacts GitLab EE (Medium)
• Exposure of Sensitive Information to an Unauthorized Actor issue impacts GitLab CE/EE (Medium)
• Improper Access Control issue impacts GitLab CE/EE (Medium)

CVE-2025-4700 - Cross-site scripting issue impacts Kubernetes Proxy in GitLab CE/EE

GitLab has remediated an issue affecting a Kubernetes proxy feature that, under specific circumstances, could have potentially allowed a successful attacker to trigger unintended content rendering leading to XSS.

Impacted Versions: GitLab CE/EE: all versions from 15.10 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1.

CVSS: 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N)

Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.

CVE-2025-4439 - Cross-site scripting issue impacts Kubernetes Proxy in GitLab CE/EE using CDNs

GitLab has remediated an issue that could have allowed an authenticated user to perform cross-site scripting attacks when the instance is served through certain content delivery networks.

Impacted Versions: GitLab CE/EE: all versions from 15.10 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1.

CVSS: 7.7 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N)

Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.

CVE-2025-7001 - Exposure of Sensitive Information to an Unauthorized Actor issue impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed privileged users to access certain resource_group information through the API which should have been unavailable.

Impacted Versions: GitLab CE/EE: all versions from 15.0 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1.

CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Thanks iamgk808 for reporting this vulnerability through our HackerOne bug bounty program.

CVE-2025-4976 - Improper Access Control issue impacts GitLab EE

GitLab has remediated an issue that, under certain circumstances, could have allowed an attacker to access internal notes in GitLab Duo responses.

Impacted Versions: GitLab EE: all versions from 17.0 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1.

CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Thanks rogerace for reporting this vulnerability through our HackerOne bug bounty program.

CVE-2025-0765 - Exposure of Sensitive Information to an Unauthorized Actor issue impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an unauthorized user to access custom service desk email addresses.

Impacted Versions: GitLab CE/EE: all versions from 17.9 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1.

CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Thanks iamgk808 for reporting this vulnerability through our HackerOne bug bounty program.

CVE-2025-1299 - Improper Access Control issue impacts GitLab CE/EE

GitLab has remediated an issue that, under circumstances, could have allowed an unauthorized user to read deployment job logs by sending a crafted request.

Impacted Versions: GitLab CE/EE affecting all versions starting from 15.4 before 18.0.5, all versions starting from 18.1 before 18.1.3, all versions starting from 18.2 before 18.2.1.

CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program.

Bug fixes

18.2.1

• Fix double-path issue for COM_REGISTRY
• Update VERSION files
• Backport of '[Agentic Chat] Do not response to NewCheckpoint message'
• Backport of Delete the search_refactor_membership_filter feature flag
• Backport of 'Fix S3 compatibility in Workhorse uploads for non-AWS S3 providers'
• [Backport] Allow users to resume/continue previous chat sessions in Agentic Chat instead of forcing new chat creation.
• Send workflow metadata for Agentic Chat
• Backport of Fix Github Import E2E
• Backport fix for Workhorse race test: ignore EOF error for Duo Workflow send stream

18.1.3

• Merge branch 'jk/cache-assets-security-mirror' into 'master'
• [backport] 'tbulva-zoekt-url-reset' into '18.1'
• Revert "Merge branch 'cherry-pick-54ec1758' into '18-1-stable-ee'"
• Merge branch 'dattang/pass-omnibus-package-to-release-environment-pipeline' into 'master'
• Merge branch 'dattang/run-qa-on-get-release-environment' into '18-1-stable-ee'
• [backport] Add check for allowlist when configuring Elasticsearch URL
• Backport of "Backport of 'Disable directory_code_dropdown_updates flag'"
• Revert "Enable assets caching on security stable branches"
• Backport of 'Fixed branches loading on group merge request list'
• Backport of Trigger webhook events on vulnerability dismissal
• Backport GitLab Exporter 15.6.0 to 18.1.x
• Update dependency container-registry to v4.23.2-gitlab

18.0.5

• [Backport 18.0] Zoekt: Only enable global search when nodes are online
• Run GET Release Environments on 18-0-stable-ee
• Backport of 'Fixed branches loading on group merge request list'
• Backport 'dattang/fix-syntax-release-env-pipeline' into '18-0-stable-ee'
• [backport to 18.0] Add check for allowlist when configuring Elasticsearch URL
• Backport of Trigger webhook events on vulnerability dismissal
• Update dependency container-registry to v4.21.4-gitlab
• Build Omnibus package for GET Release Environments - 18.0
• Merge branch 'cb-fix-prein-version-parse' into '18-0-stable'

Updating

To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page.

Receive Patch Notifications

To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.

GitLab Patch Release: 18.2.1, 18.1.3, 18.0.5 via @gitlab Click to tweet!

Learn more about GitLab Patch Release: 18.1.2, 18.0.4, 17.11.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).

Today, we are releasing versions 18.1.2, 18.0.4, 17.11.6 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action. GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here. For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.

Recommended Action

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible. When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.

Security fixes

Table of security fixes

Title Severity Cross-site scripting issue impacts GitLab CE/EE High Incorrect authorization issue impacts GitLab CE/EE Medium Incorrect authorization issue impacts GitLab EE Low Incorrect authorization issue impacts GitLab EE Low CVE-2025-6948 - Cross-site scripting issue impacts GitLab CE/EE GitLab has remediated an issue that, under certain conditions, could have allowed a successful attacker to execute actions on behalf of users by injecting malicious content. Impacted Versions: all versions from 17.11 before 17.11.6, 18.0 before 18.0.4, and 18.1 before 18.1.2. CVSS: 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N) Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program. CVE-2025-3396 - Improper authorization issue impacts GitLab CE/EE GitLab has remediated an issue that could have allowed authenticated project owners to bypass group-level forking restrictions by manipulating API requests. Impacted Versions: all versions from 13.3 before 17.11.6, 18.0 before 18.0.4, and 18.1 before 18.1.2. CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) Thanks theluci for reporting this vulnerability through our HackerOne bug bounty program. CVE-2025-4972 - Improper authorization issue impacts GitLab EE GitLab has remediated an issue that could have allowed authenticated users with invitation privileges to bypass group-level user invitation restrictions by manipulating group invitation functionality. Impacted Versions: all versions from 18.0 before 18.0.4 and 18.1 before 18.1.2. CVSS: 2.7(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N) Thanks mateuszek for reporting this vulnerability through our HackerOne bug bounty program. CVE-2025-6168 - Improper authorization issue impacts GitLab EE GitLab has remediated an issue that could have allowed authenticated maintainers to bypass group-level user invitation restrictions by sending crafted API requests. Impacted Versions: all versions from 18.0 before 18.0.4 and 18.1 before 18.1.2. CVSS: 2.7 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N) Thanks hunter0xp7 for reporting this vulnerability through our HackerOne bug bounty program. rsync security updates rsync has been updated to version 3.4.1 which contains fixes for security vulnerabilities including CVE-2024-12084 and CVE-2024-12088.

Bug fixes

18.1.2

• Backport Exporter 15.5.0 to 18.1 stable
• update gitlab-org/container-registry to v4.23.2-gitlab
• Merge branch '550037-set-static-glab-version-for-release-qa-tests' into 'master'
• Quarantine a flaky test
• Fix code owner validation for roles
• Enable using glab for CI release
• Remove Sidekiq shutdown delay in ConcurrencyLimitSampler
• Refactor blob commit info section (18.1 backport)
• Backport 'Upload cached frontend stable packages' to 18-1-stable-ee
• [Backport 18.1] Reintroduce body for redirect responses
• Show both author and committer in last commit (18.1 backport)
• Fix creation of PATs using UI on relative installations
• [Backport] Zoekt: Only enable global search when nodes are online
• Fix title on empty projects (18.1 backport)
• Rake Doctor Secrets: Fix WebHook error
• Fix comment typos to trigger asset compilation
• Fix E2E test service_ping_default_enabled_spec.rb
• Fix catalog data loader memoization problem in specs
• Backport "Disable the edit button, instead of not rendering it" to 18.1
• Add a redirect status as a success backport to 18.1
• Make sure to load correct loader on every request
• Merge branch 'dattang/build-omnibus-for-release-environment' into '18-1-stable-ee'
• Backport 'dattang/export-release-environment-package-name' into '18-1-stable-ee'
• Quarantine a flaky test
• Backport: 'revert-grpc-1.72' into 18-1
• Merge branch 'jk/cache-assets-for-stable-branch' into 'master'
• Fix the owner for sequence ci_builds_id_seq
• Backport GitLab Exporter 15.5.0 to 18.1 stable
• Merge branch 'dattang/upload-package-for-release-environment' into '18-1-stable'
• Merge branch 'dattang/build-release-environment-package' into '18-1-stable'
• Merge branch 'dattang/fix-release-environment-package-name' into '18-1-stable'
• Stable branch builds: Fix versions parsing 18.0.4
• update gitlab-org/container-registry to v4.21.4-gitlab
• Use 1.59.2 version of glab in release_with_glab_spec.rb
• Quarantine a flaky test
• Remove checksum length expectation from the Gitlab::Git::Repository#checksum
• Fix Protected Tags show page
• Fix code owner validation for roles
• Remove Sidekiq shutdown delay in ConcurrencyLimitSampler
• Refactor blob commit info section (18.0 backport)
• Backport 'Upload cached frontend stable packages' to 18-0-stable-ee
• [Backport 18.0] Reintroduce body for redirect responses
• Show both author and committer in last commit (18.0 backport)
• Backport "Add a spinner for a loading elipsis menu" to 18.0
• Fix title on empty projects (18.0 backport)
• No-op ValidateCiBuildNeedsProjectIdNotNull
• Fix comment typos to trigger asset compilation
• [Backport 18.0] Fix incorrect redirect when branch doesn't include files
• Fix creation of PATs using UI on relative installations 17.11.6
• update gitlab-org/container-registry to v4.19.2-gitlab
• Use 1.59.2 version of glab in release_with_glab_spec.rb
• Quarantine a flaky test
• Remove checksum length expectation from the Gitlab::Git::Repository#checksum
• Fix code owner validation for roles
• Revert "Merge branch 'backport-fix/547265-code-owner-roles-validation-17-11'…
• Backport 'Upload cached frontend stable packages' to 17-11-stable-ee
• Fix comment typos to trigger asset compilation
• Backport 1465f38a to 17.11
• Fix incompatible Rails cache version from 7.1 to 6.1
• Fix creation of PATs using UI on relative installations
• [Backport 17.11] Fix incorrect redirect when branch doesn't include files

Updating To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page.

Receive Patch Notifications To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.

GitLab Patch Release: 18.1.1, 18.0.3, 17.11.5

Learn more about GitLab Patch Release: 18.1.1, 18.0.3, 17.11.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).

Today, we are releasing versions 18.1.1, 18.0.3, 17.11.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.

GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.

For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.

We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.

Recommended Action

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.

Security fixes

Table of security fixes

Title Severity Denial of Service impacts GitLab CE/EE Medium Missing Authentication issue impacts GitLab CE/EE Medium Improper access control issue impacts GitLab CE/EE Medium Elevation of Privilege impacts GitLab CE/EE Low Improper access control issue impacts GitLab EE Low

CVE-2025-3279 - Denial of Service impacts GitLab CE/EE

GitLab has remediated an issue that, under certain conditions, could have allowed authenticated attackers to create a DoS condition by sending crafted GraphQL requests.

Impacted Versions: GitLab CE/EE: all versions from 10.7 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1. CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program.

CVE-2025-1754 - Missing Authentication issue impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed unauthenticated attackers to upload arbitrary files to public projects by sending crafted API requests, potentially leading to resource abuse and unauthorized content storage.

Impacted Versions: GitLab CE/EE: all versions from 17.2 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1. CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Thanks abdelrahman_maged for reporting this vulnerability through our HackerOne bug bounty program.

CVE-2025-5315 - Improper access control issue impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed authenticated users with Guest role permissions to add child items to incident work items by sending crafted API requests that bypassed UI-enforced role restrictions.

Impacted Versions: GitLab CE/EE: all versions from 17.2 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1. CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

Thanks rhidayahh for reporting this vulnerability through our HackerOne bug bounty program.

CVE-2025-2938 - Elevation of Privilege impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed authenticated users to gain elevated project privileges by requesting access to projects where role modifications during the approval process resulted in unintended permission grants.

Impacted Versions: GitLab CE/EE: all versions from 17.3 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1. CVSS: 3.1 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N)

Thanks mateuszek for reporting this vulnerability through our HackerOne bug bounty program.

CVE-2025-5846 - Improper access control issue impacts GitLab EE

GitLab has remediated an issue that could have allowed authenticated users to assign unrelated compliance frameworks to projects by sending crafted GraphQL mutations that bypassed framework-specific permission checks.

Impacted Versions: GitLab EE: all versions from 16.10 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 CVSS: 2.7 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N)

This vulnerability was reported internally by a GitLab team member, Joern Schneeweisz.

Bug fixes

18.1.1

• (Backport to 18.1) fix: Don't unset IMAGE_TAG_EXT passed by gitlab-org/gitlab
• Backport: Drop ubi-assets-release CI job
• [backport] 18.1: Merge branch 'dj-exclude-stable-branch-coverage' into 'master'
• fix: Backport fix on git over ssh
• Check if Amazon Q should be enabled at project level

18.0.3

• [backport] Fix line number in zoekt response
• Restrict LFS file download to project-bound objects
• Backport "E2E test: account for Duo Core behaviour in code suggestion tests"
• Backport "E2E test: disable elasticsearch omnibus jobs"
• Backport "Fix Self Hosted Duo Beta features not being available" to 18.0
• Backport 'Move up release-environments stage in CI' to 18-0-stable-ee
• Projects::TransferService should be more reliable
• Merge branch 'jmc-549650' into 'master'
• backport 'tbulva-zoekt-flashing-no-results' into 18.0
• Merge branch 'tbulva-search-page-scope-fix' into 'master'
• Backport attribute_methods.rb
• Backport "Fix losing wiki comments on some wiki page slug changes"
• Backport to 18.0: Set glab version for release QA tests
• Backport vulnerability_namespace_historical_statistic fix to 18.0
• [backport] 18.0: Merge branch 'dj-exclude-stable-branch-coverage' into 'master'
• Support markdown anchors and multi-line in permalink
• fix: Backport fix on git over ssh
• Backport flaky logger test fix
• Revert "Merge branch 'backport-bugfix-restrict-LFS-download–18-0' into '18-0-stable-ee'"
• Merge branch 'dattang/build-internal-release-qa-image' into '18-0-stable-ee'

17.11.5

• Merge branch '350883-update-to-use-live-trace-application-setting' into '17-11-stable'
• Restrict LFS file download to project-bound objects
• Backport 'Move up release-environments stage in CI' to 17-11-stable-ee
• Merge branch 'jmc-549650' into '17-11-stable-ee'
• Backport 'Update Import::ValidateRemoteGitEndpoint Service'
• Backport to 17.11: Set glab version for release QA tests
• Backport vulnerability_namespace_historical_statistic fix to 17.11
• [backport] 17.11: Merge branch 'dj-exclude-stable-branch-coverage' into 'master'
• fix: Backport fix on git over ssh
• Revert "Merge branch 'backport-bugfix-restrict-LFS-download–17-11' into '17-11-stable-ee'"
• Merge branch 'dattang/build-internal-release-qa-image' into 'master'
• [Backport - 17.11.x] Removing postponed deprecation from omnibus

Updating

To update GitLab, see the Update page. To update GitLab Runner, see the Updating the Runner page.

Receive Patch Notifications

To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.

GitLab Patch Release: 18.1.1, 18.0.3, 17.11.5 via @gitlab Click to tweet!

GitLab Patch Release: 18.1.1, 18.0.3, 17.11.5 via @gitlab Click to tweet!