Gitlab Release Notes

Learn more about GitLab Patch Release: 18.8.2, 18.7.2, 18.6.4 for GitLab Community Edition (CE) and Enterprise Edition (EE).

Today, we are releasing versions 18.8.2, 18.7.2, 18.6.4 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.

Recommended Action

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.

Security fixes

Table of security fixes
Title
Severity
Denial of Service issue in in Jira Connect integration impacts GitLab CE/EE
High
Incorrect Authorization issue in Releases API impacts GitLab CE/EE
High
Unchecked Return Value issue in authentication services impacts GitLab CE/EE
High
Infinite Loop issue in Wiki redirects impacts GitLab CE/EE
Medium
Denial of Service issue in API endpoint impacts GitLab CE/EE
Medium
CVE-2025-13927 - Denial of Service issue in Jira Connect integration impacts GitLab CE/EE

• Denial of Service issue in Jira Connect integration impacts GitLab CE/EE
  GitLab has remediated an issue that could have allowed an unauthenticated user to create a denial of service condition by sending crafted requests with malformed authentication data.
  Impacted Versions: GitLab CE/EE: all versions from 11.9 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2
  CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
  Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program.
  CVE-2025-13928 - Incorrect Authorization issue in Releases API impacts GitLab CE/EE
• Incorrect Authorization issue in Releases API impacts GitLab CE/EE
  GitLab has remediated an issue that could have allowed an unauthenticated user to cause a denial of service condition by exploiting incorrect authorization validation in API endpoints.
  Impacted Versions: GitLab CE/EE: all versions from 17.7 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2
  CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
  Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program.
  CVE-2026-0723 - Unchecked Return Value issue in authentication services impacts GitLab CE/EE
• Unchecked Return Value issue in authentication services impacts GitLab CE/EE
  GitLab has remediated an issue that could have allowed an individual with existing knowledge of a victim's credential ID to bypass two-factor authentication by submitting forged device responses.
  Impacted Versions: GitLab CE/EE: all versions from 18.6 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2
  CVSS 7.4 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
  Thanks ahacker1 for reporting this vulnerability through our HackerOne bug bounty program.
  CVE-2025-13335 - Infinite Loop issue in Wiki redirects impacts GitLab CE/EE
• Infinite Loop issue in Wiki redirects impacts GitLab CE/EE
  GitLab has remediated an issue that under certain circumstances could have allowed an authenticated user to create a denial of service condition by configuring malformed Wiki documents that bypass cycle detection.
  Impacted Versions: GitLab CE/EE: all versions from 17.1 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2
  CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
  Thanks sim4n6 for reporting this vulnerability through our HackerOne bug bounty program.
  CVE-2026-1102 - Denial of Service issue in API endpoint impacts GitLab CE/EE
• Denial of Service issue in API endpoint impacts GitLab CE/EE
  GitLab has remediated an issue that could have allowed an unauthenticated user to create a denial of service condition by sending repeated malformed SSH authentication requests.
  Impacted Versions: GitLab CE/EE: all versions from 12.3 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2
  CVSS 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
  This vulnerability has been discovered internally by GitLab team member Thiago Figueiró.

Bug fixes

18.8.2
• Backport of Make external agent configurations GA
• Backport Remove GitLab Dedicated support for semantic search until it's available
• Backport of '18.8.0: Merge Request reviewer dropdown crashes and does not send request'
• Backport of 'Pass user id to workflow service'
• Backport of rake task to seed AI Catalogs with external agents
• Backport of Separate policy logic for AI Catalog Flows and Foundational Flows
18.7.2
• Backport of Fix logic for fetching occurrences related to vulnerabilties
• Backport of "Removes feature flag enablement for svc accounts"
• Backport of flaky import spec quarantine
• Backport 18.7 - Fix searchable dropdown race condition when typing fast
• Backport of Recreate p_sent_notifications.reply_key index
• Fix container_repositories index repair to handle 1-to-1 relationship
• [18.7] Fix migration health check endpoint
• Backport of 'Fix soft wrap not working due to accessibilitySupport conflict'
• Backport of 'Fix git push error for remote flows in self-managed instances'
• [Backport 18.7] Exclude Git LFS paths from Git HTTP throttling
• Backport of Correct Code Review Flow history for beta
• Backport of 'Fix Duo Chat button visibility for Amazon Q'
• Backport Allow user namespaces to be indexed in Zoekt for self-managed
• Backport of 'Disable Sidekiq retries for ClickHouse pipeline/build sync workers'
• Backport of 'Disable async_insert in build and pipeline sync operations'
• 18.7 - Remove manual from SLES-12.5-release-pulp job
18.6.4
• Backport of "Removes feature flag enablement for svc accounts"
• Backport of flaky import spec quarantine
• Backport 18.6 - Fix searchable dropdown race condition when typing fast
• Fix container_repositories index repair to handle 1-to-1 relationship
• Backport of 'Fix soft wrap not working due to accessibilitySupport conflict'
• Backport of 'Fix git push error for remote flows in self-managed instances'
• [Backport 18.6] Exclude Git LFS paths from Git HTTP throttling
• Backport-Allow user namespaces to be indexed in Zoekt for self-managed
• Backport of 'Disable Sidekiq retries for ClickHouse pipeline/build sync workers'
• Backport of 'Disable async_insert in build and pipeline sync operations'
• 18.6 - Remove manual from SLES-12.5-release-pulp job
• Start Pulp FIPS jobs after PC FIPS jobs - 18.6
• [CI] Fix the builder image tags for the check-packages jobs 18-6

Important notes on upgrading

This patch includes database migrations that may impact your upgrade process.
Impact on your installation:
• Single-node instances: This patch will cause downtime during the upgrade as migrations must complete before GitLab can start.
• Multi-node instances: With proper zero-downtime upgrade procedures, this patch can be applied without downtime.
Post-deploy migrations
The following versions include post-deploy migrations that can run after the upgrade:
• 18.7.2
To learn more about the impact of upgrades on your installation, see:
• Zero-downtime upgrades for multi-node deployments
• Standard upgrades for single-node installations

Updating

To update GitLab, see the Update page. To update GitLab Runner, see the Updating the Runner page.

Receive Patch Notifications

To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.

GitLab Patch Release: 18.8.2, 18.7.2, 18.6.4 via @gitlab Click to tweet!

Original source Report a problem

GitLab releases 18.8.1

Today we are releasing versions 18.8.1 for GitLab Community Edition and Enterprise Edition.
These versions resolve a number of regressions and bugs. This patch release does not include any security fixes.

GitLab Community Edition and Enterprise Edition

18.8.1

• Backport: Release AI Catalog External Agents
• Backport of 'Fix summarize review prompt version for DAP Duo Code Review'
• Backport of Disallow creation of new external agents
• Backport of Correct Code Review Flow history for beta
  Backport of Correct Code Review Flow history for beta
• Backport of 'Fix incorrectly shown limited experience alert on pipeline security tab'
• Backport of 'Fix Duo Chat button visibility for Amazon Q'

Important notes on upgrading

This version does not include any new migrations, and for multi-node deployments, should not require any downtime.
Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure file, which is only used for updates.

Updating

To update, check out our update page.

GitLab subscriptions

Access to GitLab Premium and Ultimate features is granted by a paid subscription.
Alternatively, sign up for GitLab.com to use GitLab's own infrastructure.

Original source Report a problem

18.8 Release Highlights

Today, we are excited to announce the release of GitLab 18.8 with GitLab Duo Agent Platform now generally available, GitLab Duo Planner Agent, GitLab Duo Security Analyst Agent, auto-dismiss irrelevant vulnerabilities, and much more!

These are just a few highlights from the 10+ improvements in this release. Read on to check out all of the great updates below.

To the wider GitLab community, thank you for the 119 contributions you provided to GitLab 18.8! At GitLab, everyone can contribute and we couldn't have done it without you!

To preview what's coming in next month’s release, check out our What's new page.

Notable Contributor

This month's Notable Contributor is awarded to Wesley Yarde

This month’s Notable Contributor is Wesley Yarde for building a foundational new feature that allows organizations to disable SSH keys for their enterprise users.

Wesley’s contribution stands out for several reasons:

• Security and compliance: This feature enables organizations to enforce SSH key requirements and enhance security across their enterprise.
• Foundational work: With no existing implementation to follow, Wesley had to collaborate extensively with the GitLab team to define requirements and architecture from scratch.
• First contribution: Remarkably, this was Wesley’s first contribution to GitLab—demonstrating exceptional ability to navigate a complex codebase and tackle a challenging feature.
• Enables future development: This work establishes the foundation for similar features like instance-level SSH key disabling and service account controls.

The implementation spanned multiple merge requests (!205020, !210482) with thorough review cycles. Despite the complexity, Wesley demonstrated outstanding collaboration and patience throughout the process.

“It was a pleasure to collaborate with Wesley on this feature request! While both the contributor and reviewers may have felt that the review process was overwhelming, both sides showed understanding and superb collaboration to ensure the implementation is solid and complete.” — Bogdan Denkovych, who nominated Wesley for this recognition.

Congratulations Wesley, and thank you for this valuable contribution to GitLab!

18.8 Key improvements released in GitLab 18.8

GitLab Duo Agent Platform now generally available

GitLab Duo Agent Platform is now generally available, bringing agentic AI orchestration across your entire software development lifecycle. Unlike AI tools that speed up individual tasks in isolation, the Agent Platform helps teams coordinate AI agents across planning, building, securing, and shipping software, closing the gap between faster individual work and the collaborative, multi-stage reality of software delivery.

The platform provides a central AI Catalog where teams can discover, manage, and share agents and flows across their organization. Built-in foundational agents like Planner, Security Analyst, and Data Analyst handle structured work at key decision points, while customizable flows automate multi-step agents and tasks in development workflows from issue to merge request, CI/CD migration, pipeline troubleshooting, and code reviews.

With governance controls, usage visibility, and flexible deployment options including self-hosted models for offline environments, organizations can adopt AI at scale with the transparency and control they need.

GitLab Premium and Ultimate users can start using the Agent Platform today on GitLab.com and GitLab Self-Managed instances with promotional GitLab Credits.

GitLab Duo Planner Agent now generally available

The Planner Agent is now generally available! The Planner Agent is a foundational agent built to support product managers directly in GitLab.

Use the Planner Agent to create, edit, and analyze GitLab work items. Instead of manually chasing updates, prioritizing work, or summarizing planning data, the Planner Agent helps you analyze backlogs, apply frameworks like RICE or MoSCoW, and surface what truly needs your attention. It’s like having a proactive teammate who understands your planning workflow and works with you to make better, more efficient decisions.

Please provide your feedback in issue 583008.

GitLab Duo Security Analyst Agent now generally available

The GitLab Duo Security Analyst Agent, introduced as beta in GitLab 18.5, is now generally available in GitLab 18.8.

The Security Analyst Agent enables engineers to manage vulnerabilities through natural language commands in GitLab Duo Agentic Chat. Instead of manually clicking through vulnerability dashboards or writing custom scripts for bulk operations, security teams can now triage, assess, and provide guidance for vulnerabilities in Chat conversations.

As a foundational agent, the Security Analyst Agent is available by default in GitLab Duo Agentic Chat, with no manual setup required.

Auto-dismiss irrelevant vulnerabilities with vulnerability management policies

Security teams can now automatically dismiss vulnerabilities that don’t apply to their organization using vulnerability management policies. Dismissing vulnerabilities that are not relevant to your organization reduces noise and helps developers focus on vulnerabilities that pose actual risk.

You can create policies to auto-dismiss vulnerabilities based on:

• File path
• Directory
• Identifier (CVE, CWE, or OWASP)

Auto-dismissed vulnerabilities appear in the merge request’s security widget with an Auto-dismissed label and are tracked in the vulnerability report activity with a dismissal reason for audit purposes.

18.8 Other improvements in GitLab 18.8

GitLab Runner 18.8

We’re also releasing GitLab Runner 18.8 today! GitLab Runner is the highly-scalable build agent that runs your CI/CD jobs and sends the results back to a GitLab instance. GitLab Runner works in conjunction with GitLab CI/CD, the open-source continuous integration service included with GitLab.

What’s New:

• Improved error messages for job inputs interpolation errors

Bug Fixes:

• WaitForServicesTimeout no longer supports -1 to disable timeout
• Custom URL breaks submodule authentication with insteadOf rules
• Custom runner short-token on Windows 2025 uses 9 characters instead 8
• PowerShell default helper image missing for Docker executor in GitLab Runner 17.8.3
• GitLab Runner with Docker Autoscaler does not reuse available cache volumes
• VirtualBox leaves dangling VM when job is cancelled

The list of all changes is in the GitLab Runner CHANGELOG.

Multiple Container Scanning

In GitLab 18.8, we released multi-container scanning in Beta.
Users are now able to pass in an array of images to be scanned as part of many Container Scanning jobs.

Group Owners can disable SSH keys for enterprise users

Group Owners can now disable SSH keys for all enterprise users in their group. When disabled, users cannot add new SSH keys and their existing keys are deactivated. This applies to all enterprise users in the group, including those with the Owner role.

Thank you to Wesley Yarde for helping build this feature!

Group access control for GitLab Duo features

You can now define group access rules to control who can use GitLab Duo features, enabling flexible adoption strategies from immediate organization-wide access to phased rollouts.
This feature provides granular governance control so you can scale adoption at your pace while maintaining security and compliance.

C/C++ support in Advanced SAST now generally available

Cross-file, cross-function scanning support for C/C++ is now generally available in GitLab Advanced SAST.

Centralized credential management API for group owners

The Credentials Inventory API is now available for Enterprise users on GitLab.com. This adds credential management capabilities previously only available on self-hosted instances, and enables organizations to better manage and secure their authentication tokens and keys.

The Credentials Inventory API provides programmatic access to view credentials across your organization, including:

• Personal Access Tokens (PATs)
• Group Access Tokens (GrATs)
• Project Access Tokens (PrATs)
• SSH Keys
• GPG Keys

This API complements the existing Credentials Inventory UI, allowing enterprise administrators to automate credential management tasks that previously required manual intervention. With the Credentials Inventory API, you can:

• Automate security workflows: Build automated processes to monitor, audit, and revoke credentials.
• Enforce credential policies: Identify and revoke unused or expired tokens.
• Improve security posture: Reduce the risk of credential misuse through regular auditing.
• Streamline operations: Integrate credential management into your existing security tools and workflows.

GitLab Duo Agent Platform for GitLab Duo Self-Hosted (offline licensing) now generally available

GitLab Duo Agent Platform is now generally available for Duo Self-Hosted. This feature is available to GitLab Self-Managed customers with an offline license, and uses seat-based pricing.

Self-Managed administrators can configure compatible models for use with GitLab Duo Agent Platform. Administrators using AWS Bedrock or Azure OpenAI can also configure Anthropic Claude or OpenAI GPT models.

Turn the GitLab Duo Agent Platform on or off

You can now turn on or off the GitLab Duo Agent Platform, including GitLab Duo Chat (Agentic), agents, and flows for a top-level group or the entire instance. When this setting is turned off, these features are not available.

Bug fixes, performance improvements, and UI improvements

At GitLab, we’re dedicated to providing the best possible experience for our users. With every release, we work tirelessly to fix bugs, improve performance, and enhance UI. Whether you’re one of the over 1 million users on GitLab.com or using our platform elsewhere, we’re committed to making sure your time with us is smooth and seamless.

Click the links below to see all the bug fixes, performance enhancements, and UI improvements we’ve delivered in 18.8.

• Bug fixes
• Performance improvements
• UI improvements

Deprecations

New deprecations and the complete list of all features that are currently deprecated can be viewed in the GitLab documentation. To be notified of upcoming breaking changes, subscribe to our Breaking Changes RSS feed.

Removals and breaking changes

The complete list of all removed features can be viewed in the GitLab documentation. To be notified of upcoming breaking changes, subscribe to our Breaking Changes RSS feed.

• Static compliance violations report

Changelog

Please check out the changelog to see all the named changes:

• GitLab
• GitLab Runner
• GitLab Workflow for VS Code
• GitLab CLI

Installing

If you are setting up a new GitLab installation please see the download GitLab page.

Updating

Check out our update page.

Questions?

We'd love to hear your thoughts! Visit the GitLab Forum and let us know if you have questions about the release.

GitLab Subscription Plans

• Free-forever features for individual users
• Enhance team productivity and coordination
• Organization wide security, compliance, and planning
• Try all GitLab features - free for 30 days

Original source Report a problem

GitLab Patch Release: 18.7.1, 18.6.3, 18.5.5

Learn more about GitLab Patch Release: 18.7.1, 18.6.3, 18.5.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).

Today, we are releasing versions 18.7.1, 18.6.3, 18.5.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.

GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.

For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.

We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.

Recommended Action

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.

Security fixes

Table of security fixes

Title Severity Stored Cross-site Scripting issue in GitLab Flavored Markdown placeholders impacts GitLab CE/EE High Cross-site scripting issue in Web IDE impacts GitLab CE/EE High Missing Authorization issue in Duo Workflows API impacts GitLab EE High Denial of Service issue in import functionality impacts GitLab CE/EE Medium Missing Authorization issue in AI GraphQL mutation impacts GitLab EE Medium Insufficient Access Control Granularity issue in GraphQL runnerUpdate mutation impacts GitLab CE/EE Medium Information Disclosure issue in Mermaid diagram rendering impacts GitLab CE/EE Low CVE-2025-9222 - Stored Cross-site Scripting issue in GitLab Flavored Markdown placeholders impacts GitLab CE/EE See details below

GitLab has remediated an issue that could have allowed an authenticated user to achieve stored cross-site scripting by exploiting GitLab Flavored Markdown placeholder processing.

Impacted Versions: GitLab CE/EE: all versions from 18.2.2 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1
CVSS 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N)

Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program.

CVE-2025-13761 - Cross-site Scripting issue in Web IDE impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an unauthenticated user to execute arbitrary code in the context of an authenticated user's browser by convincing the legitimate user to visit a specially crafted webpage.

Impacted Versions: GitLab CE/EE: all versions from 18.6 before 18.6.3, and 18.7 before 18.7.1
CVSS 8.0 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N)

Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.

CVE-2025-13772 - Missing Authorization issue in Duo Workflows API impacts GitLab EE

GitLab has remediated an issue that could have allowed an authenticated user to access and utilize AI model settings from unauthorized namespaces by manipulating namespace identifiers in API requests.

Impacted Versions: GitLab EE: all versions from 18.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1
CVSS 7.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N)

This vulnerability has been discovered internally by GitLab team member Jessie Young.

CVE-2025-13781 - Missing Authorization issue in AI GraphQL mutation impacts GitLab EE

GitLab has remediated an issue that could have allowed an authenticated user to modify instance-wide AI feature provider settings by exploiting missing authorization checks in GraphQL mutations.

Impacted Versions: GitLab EE: all versions from 18.5 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)

Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program.

CVE-2025-10569 - Denial of Service issue in import functionality impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed authenticated users to create a denial of service condition by providing crafted responses to external API calls.

Impacted Versions: GitLab CE/EE: all versions from 8.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program.

CVE-2025-11246 - Insufficient Access Control Granularity issue in GraphQL runnerUpdate mutation impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed authenticated users with specific permissions to remove all project runners from unrelated projects by manipulating GraphQL runner associations.

Impacted Versions: GitLab CE/EE: all versions from 15.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1
CVSS 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L)

Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program.

CVE-2025-3950 - Information Disclosure issue in Mermaid diagram rendering impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed a user to leak sensitive connection information by referencing specially crafted images that bypass asset proxy protection.

Impacted Versions: GitLab CE/EE: all versions from 10.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1
CVSS 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)

Thanks rogerace for reporting this vulnerability through our HackerOne bug bounty program.

Update Libpng version to 1.6.51

Libpng has been updated to version 1.6.51, which contains fixes for security vulnerabilities including CVE-2025-65018 and CVE-2025-64720.

Bug fixes

18.7.1

• Backport of 'Revert Merge branch '582543-opinionated-duo-chat-focus' into 'master''
• Backport of Add CI builds metadata migration configuration to 18.7 upgrade notes
• Backport of "Don't try to return connections to the pool early in a web request"
• Backport of "Clear the query cache when releasing load balancing hosts"
• Backport "Fix version-skipping upgrade blocker for namespace traversal IDs backfill"
• Backport of 'Fix Elasticsearch pagination with null sortable field values'
• [Backport 18.7] No-op BackfillSlackIntegrationsScopesShardingKey BBM
• Backport of 'Wrap merge_data & merge_request into single transaction'
• Backport of 'Resolve GraphQL type mismatch in Cleanup policy type'
• Backport of 'Fix 404 errors for Duo Workflow WS connection'

18.6.3

• Log truncation to 18-6 stable branch
• Backport of 'Add status filter argument to work items CSV export'
• Backport 'tskorupa/fix-check_e82ff70482-constraint-validation' into '18-6-stable-ee'
• Backport of Add pipeline_per_user rate limit
• Backport of Dependency export fix
• 18.6 Backport: "Add type handling for findings with locations saved as Strings"
• Backport: Improve handling of attachment urls and filenames, fix undercoverage 18-6
• Backport of Fix content and content-type mismatch in files e2e test
• [Backport 18.6] Exclude Git HTTP requests from authenticated web throttle
• Backport "Fix Classic Duo Chat UI is stuck" into 18.6-stable-ee
• Backport of: Handle updated Jira API calls to permit Jira issue imports again
• Backport of Fix scan execution policy overriding YAML variables
• Backport (18.6): Update dependency @gitlab/web-ide to ^0.0.1-dev-20251210140521
• Backport of 'Workhorse: use upstream for DWS API requests'
• Backport 'Allow ClickHouse migrations to be skipped'
• Backport "Fix version-skipping upgrade blocker for namespace traversal IDs backfill"
• Backport of 'Fix Elasticsearch pagination with null sortable field values'
• [18.6] Backport Mattermost Security Updates November 21, 2025
• Backport of 'Fix 404 errors for Duo Workflow WS connection'

18.5.5

• Backport: Improve handling of attachment urls and filenames, fix undercoverage 18-5
• Backport of 'Handle 429s during github LFS import'
• Backport of Dependency export fix
• Backport of 'Add status filter argument to work items CSV export'
• 18.5 Backport: "Add type handling for findings with locations saved as Strings"
• Backport of Fix content and content-type mismatch in files e2e test
• [Backport 18.5] Exclude Git HTTP requests from authenticated web throttle
• Backport of: Handle updated Jira API calls to permit Jira issue imports again
• Backport(18.5): Update dependency @gitlab/web-ide to ^0.0.1-dev-20251210140521
• Backport of 'Workhorse: use upstream for DWS API requests'
• Backport of 'Fix 404 errors for Duo Workflow WS connection'

Important notes on upgrading

This patch includes database migrations that may impact your upgrade process.

Impact on your installation:

• Single-node instances: This patch will cause downtime during the upgrade as migrations must complete before GitLab can start.
• Multi-node instances: With proper zero-downtime upgrade procedures, this patch can be applied without downtime.

Post-deploy migrations

The following versions include post-deploy migrations that can run after the upgrade:

• 18.7.1
• 18.6.3

To learn more about the impact of upgrades on your installation, see:

• Zero-downtime upgrades for multi-node deployments
• Standard upgrades for single-node installations

Updating

To update GitLab, see the Update page. To update GitLab Runner, see the Updating the Runner page.

Receive Patch Notifications

To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.

GitLab Patch Release: 18.7.1, 18.6.3, 18.5.5 via @gitlab Click to tweet!

Original source Report a problem

Milestone

83% complete

18.8

Issues

1324

Open:
226

•

Closed:
1098

Assets

5

• Source code (zip) Download
• Source code (tar.gz) Download
• Source code (tar.bz2) Download
• Source code (tar) Download
• Other

GitLab 18.8 release post

Release notes

12 new features
4087 total badges

Ultimate
4 new features
709 total badges

Application security testing
C/C++ support in Advanced SAST now generally available : SAST

Multiple Container Scanning : Container Scanning

Software supply chain security
GitLab Duo Security Analyst Agent now generally available : Vulnerability Management , Dependency Management

Security risk management
Auto-dismiss irrelevant vulnerabilities with vulnerability management policies : Security Policy Management

Premium
5 new features
795 total badges

GitLab Duo Agent Platform now generally available : Duo Agent Platform

Turn the GitLab Duo Agent Platform on or off : Duo Agent Platform

Group access control for GitLab Duo features : Duo Agent Platform

GitLab Duo Agent Platform for GitLab Duo Self-Hosted (offline licensing) now generally available (self-managed only) : Self-Hosted Models

Plan
GitLab Duo Planner Agent now generally available : Portfolio Management

Core
1 new features
2459 total badges

Verify
GitLab Runner 18.8 : GitLab Runner Core

Original source Report a problem

GitLab 18.7 release post

Release notes

• 93% complete
• Milestone
• 18.7
• Issues
• 2036
• Open:
• 138
• • Closed:
• 1898
• Assets 5
• Source code (zip) Download
• Source code (tar.gz) Download
• Source code (tar.bz2) Download
• Source code (tar) Download
• Other
• GitLab 18.7 release post
• Release notes
• 24 new features
• 4075 total badges
• Ultimate
• 8 new features
• 705 total badges
• Application security testing
• Service accounts available during trials on GitLab.com (SaaS only) : System Access
• Secret validity checks improved and generally available : Secret Detection
• SAST False Positive Detection with AI (Beta) : Vulnerability Management
• Filter and comment on compliance violations : Compliance Management
• Compliance framework controls show accurate scan status : Compliance Management
• New security dashboards enabled by default : Vulnerability Management
• Advanced vulnerability management available in Self-Managed and Dedicated environments : Vulnerability Management
• Warn mode in merge request approval policies : Security Policy Management
• Improved GitLab Duo and SDLC trends dashboard : DevOps Reports
• Separate model selection for Agentic Chat and agents : Model Personalization
• Advanced search available for both merge request descriptions and comments : Global Search
• Support for AGENTS.md with GitLab Duo Chat (Agentic) in IDEs : Editor Extensions
• AI agent and flow versioning : Duo Agent Platform
• AI gateway timeout setting (self-managed only) : Model Personalization
• Report agents and flows to administrators : AI Catalog
• Configure foundational agent availability : Duo Agent Platform
• Data Analyst foundational agent powered by GLQL (Beta) : Custom Dashboards Foundation
• GitLab Duo Model Selection now generally available : Model Personalization
• End user model selection now available with GitLab Duo : Model Personalization
• GitLab Duo context exclusion : Duo Agent Platform , Duo Chat , Code Suggestions , Vulnerability Management
• GitLab Duo AI Catalog : Duo Agent Platform , Duo Chat
• GitLab Duo Agent Platform now available on GitLab Duo Self-Hosted (self-managed only) : Self-Hosted Models
• Automatic Duo Code Review for groups and applications : Code Review Workflow
• Additional supported models for GitLab Duo Self-Hosted (self-managed only) : Self-Hosted Models
• Duo Code Review on GitLab Duo Self-Hosted is generally available (self-managed only) : Code Suggestions , Self-Hosted Models
• Issue boards now show complete epic hierarchies : Portfolio Management
• Pick up where you left off on the new personal homepage : Navigation
• Enhanced Admin area groups list (self-managed only) : Groups & Projects
• Updated navigation experience for groups : Groups & Projects
• Improved inactive item management for groups and projects : Groups & Projects
• Format markdown tables in the plain text editor : Markdown
• View child task completion in issues : Team Planning
• Variable expansion in environment deployment_tier : Environment Management
• GitLab Runner 18.7 : GitLab Runner Core
• View child pipeline reports in merge requests : Continuous Integration (CI)

Original source Report a problem

GitLab 18.7 released with improved GitLab Duo analytics dashboard and secret validity checks

Today, we are excited to announce the release of GitLab 18.7 with improved GitLab Duo Analytics dashboard, improved secret validity checks, model selection for chat and agents, and much more!

These are just a few highlights from the 25+ improvements in this release. Read on to check out all of the great updates below.

To the wider GitLab community, thank you for the 169 contributions you provided to GitLab 18.7! At GitLab, everyone can contribute and we couldn't have done it without you!

To preview what's coming in next month’s release, check out our What's new page.

Notable Contributor

This month's Notable Contributor is awarded to David Aniebo

We’re excited to recognize David Aniebo as our 18.7 Notable Contributor for his impactful contributions to GitLab product planning capabilities and the contributor platform.

David’s work on improving work item list functionality demonstrates his technical expertise and dedication to enhancing the user experience for GitLab planning features. This contribution helps teams better organize and manage their work items, making project planning more efficient for thousands of GitLab users.

Beyond code contributions, David has been a consistent supporter of the contributor platform, helping to improve the experience for community contributors. His collaborative approach and responsiveness have earned praise from multiple team members across different groups.

“David has done some fantastic work helping out with some Product Planning group efforts, and we are very thankful for his contributions,” shared Nick Brandt, Engineering Manager for Product Planning.

Thank you, David, for your valuable contributions to GitLab and for being such a collaborative member of our community! We look forward to your continued involvement.

18.7 Key improvements released in GitLab 18.7

Secret validity checks improved and generally available

When a valid secret is leaked in one of your repositories, you must react quickly. To help you prioritize urgent threats, validity checks automatically verify whether leaked credentials can still be used.

In GitLab 18.7, we’ve improved:

• Vendor integrations: Integrated with Google Cloud, AWS, and Postman, along with existing support for GitLab tokens.
• Report filtering: Filter the Vulnerability Report by validity status (active, inactive, possibly active) to quickly triage and prioritize secret findings.
• Group-level API: Turn on validity checks across all projects in a group with a single API call and streamline rollout across your organization.

In this release, validity checks are generally available.

Separate model selection for Agentic Chat and agents

Separate models can now be selected for Agentic Chat and for all other agents for top-level groups or instances. This provides more options for model selection for GitLab Duo Agent Platform.

Improved GitLab Duo and SDLC trends dashboard

The GitLab Duo and SDLC trends dashboard delivers improved analytics capabilities to measure the impact of GitLab Duo on software delivery. The dashboard now provides 6-month trend analysis across GitLab Duo feature adoption, pipeline performance, and common development metrics such as deployment frequency and mean time to merge.

You can now track code generation volumes and IDE or language trends for GitLab Duo Code Suggestions, and observe as your teams adopt new GitLab Duo Agent Platform flows. Enhanced user-level metrics enable teams to gain deeper insight into the key Duo features providing continuous value.

A new endpoint for instance-level AI usage is now available for instance administrators to extract all Duo data from either Postgres (3-month retention) or ClickHouse.

Powered by the ClickHouse integration, this dashboard delivers sub-second query performance across millions of data points. For self-managed instances, see improved recommendations and configuration guidance for ClickHouse integration.

Additional Planner Agent features available in beta

The Planner Agent now includes create and edit features in beta! The Planner Agent is a foundational agent built to support product managers directly in GitLab. Use the Planner Agent to create, edit, and analyze GitLab work items.

Instead of manually chasing updates, prioritizing work, or summarizing planning data, the Planner Agent helps you analyze backlogs, apply frameworks like RICE or MoSCoW, and surface what truly needs your attention. It’s like having a proactive teammate who understands your planning workflow and works with you to make better, more efficient decisions.

Please provide your feedback in issue 576622.

Dynamic input options in CI/CD pipelines

You can set up your CI/CD pipelines to make use of dynamic input selection when creating new pipelines through the intuitive web interface.

Now, with dynamic input options, you can configure your pipelines so that input selection options update dynamically based on previous selections. For example, when you select an input in one dropdown list, it automatically populates a list of related input options in a second dropdown list.

With CI/CD inputs, you can:

• Trigger pipelines with pre-configured inputs, reducing errors and streamlining deployments.
• Enable your users to select different inputs than the defaults from dropdown menus.
• Now have cascading dropdown lists where options dynamically update based on previous selections.

This dynamic capability enables you to create more intelligent, context-aware input configurations that guide you through the pipeline creation process, reducing errors and ensuring only valid combinations of inputs are selected.

SAST False Positive Detection with AI (Beta)

Security teams often spend significant time investigating SAST findings that turn out to be false positives, diverting attention from genuine security risks.

In GitLab 18.7, we’re introducing AI-powered SAST False Positive Detection to help teams focus on the vulnerabilities that matter. When a security scan runs, GitLab Duo automatically analyzes each Critical and High severity SAST vulnerability to determine the likelihood that it’s a false positive.

The AI assessment appears directly in the vulnerability report, giving security engineers immediate context to make faster, more confident triage decisions.

Key capabilities include:

• Automatic analysis: False positive detection runs automatically after each security scan with no manual triggering required.
• Manual trigger option: Users can manually trigger false positive detection for individual vulnerabilities on the vulnerability details page for on-demand analysis.
• Focused on high-impact findings: Scoped to Critical and High severity vulnerabilities to maximize signal-to-noise improvement.
• Contextual AI reasoning: Each assessment includes an explanation of why the finding may or may not be a true positive, based on code context and vulnerability characteristics.
• Seamless workflow integration: Results surface directly in the vulnerability report alongside existing severity, status, and remediation information.

This feature is available as a free beta for Ultimate customers and must be enabled in your group or project settings. We welcome your feedback in issue 583697.

New security dashboards enabled by default

The new security dashboards have been updated and modernized. The dashboards were previously available on GitLab.com, and are now enabled by default on GitLab Dedicated and GitLab Self-Managed.

The new features include:

• A vulnerabilities over time chart that supports:
  • Filtering based on project or report type.
  • Grouping by report type and severity.
  • Direct links to vulnerabilities in the vulnerability report.
• A risk score module that calculates the estimated risk for a group or project based on a GitLab algorithm.

Please note that using the new dashboard requires ElasticSearch.

Instance setting to control publishing of components to the CI/CD Catalog

Administrators of GitLab Self-Managed and GitLab Dedicated can now restrict which projects are allowed to publish components to the CI/CD Catalog. This new setting enables organizations to maintain a curated, trusted CI/CD Catalog by controlling what components can be published.

Administrators can now specify an allowlist of projects authorized to publish components. When the allowlist is populated with projects, only those projects can publish components. This prevents unauthorized or unapproved components from cluttering the list of published components and ensures all components meet organizational standards and security requirements.

This addresses a key governance challenge for enterprise customers who want to maintain control over their CI/CD component ecosystem while enabling their teams to discover and reuse approved components.

18.7 Other improvements in GitLab 18.7

• Accessibility improvements for heading anchor links

  Heading anchor links now announce with the same text as their corresponding heading, improving the experience for screen reader users. The links also appear after the heading text, providing a cleaner visual presentation.

  These changes make it easier for all users to understand and navigate to specific sections of documentation, issues, and other content.

• View child pipeline reports in merge requests

  Teams using parent-child CI/CD pipelines previously had to navigate through multiple pipeline pages to check test results, code quality reports, and infrastructure changes, disrupting their merge request review workflow.

  You can now view and download all reports in a unified view, including unit tests, code quality checks, Terraform plans, and custom metrics, without leaving the merge request.

  This eliminates context switching and accelerates merge request velocity, giving teams the ability to deliver features faster without compromising quality.

• Warn mode in merge request approval policies

  Security teams can now use warn mode to test and validate the impact of security policies before applying enforcement or to roll out soft gates for accelerating your security program. Warn mode helps to reduce developer friction during security policy rollouts, while continuing to ensure detected vulnerabilities are addressed.

  When you create or edit a merge request approval policy, you can now choose between warn or enforce enforcement options.

  Policies in warn mode generate informative bot comments without blocking merge requests. Optional approvers can be designated as points of contact for policy questions. This approach enables security teams to assess policy impact and build developer trust through transparent, gradual policy adoption.

  When policy violations are detected on a project’s default branch, policies identify vulnerabilities that violate the policy in the vulnerability reports for projects and groups. The dependency list for projects also displays badges that indicate license compliance policy violations.

  Additionally, you can use the API to query a filtered list of policy violations on the default branch in a project.

• Filter and comment on compliance violations

  The compliance violations report provides a centralized view of all compliance violations across your organization’s projects. The report displays comprehensive details about control violations, related audit events, and enables teams to track violation statuses effectively.

  In GitLab 18.7, we’ve introduced powerful filtering capabilities to help you quickly find the violations that matter most. You can now filter by:

  • Status
  • Project
  • Control

  Teams can now also collaborate directly on resolving violations through comments. Within the violation record itself, teams can:

  • Tag team members for investigation
  • Discuss remediation approaches
  • Document findings—all within the violation record itself.

  Together, these features evolve the compliance violations report into a dynamic collaboration platform, enabling organizations to efficiently discover, analyze, and resolve compliance violations in their groups and projects.

• Enhanced active trial experience for Self-Managed

  GitLab Self-Managed users on an Ultimate trial can now access their active trial status, remaining days, accessible features, and expiration notifications from the left sidebar.

  These enhancements help eliminate confusion about trial duration and make it easier to evaluate paid features before purchase.

• AI gateway timeout setting

  For GitLab Duo Self-Hosted, you can now configure a timeout value for requests to self-hosted models.

  This value can range from 60 to 600 seconds.

• Configure foundational agent availability

  You can now control which foundational agents are available in your top-level group or instance.

  Turn all foundational agents on or off by default, or toggle individual agents to align with your organization’s security and governance policies.

• Report agents and flows to administrators

  You can now report agents and flows to instance administrators when you encounter problematic content. Submit an abuse report that includes your feedback, and an administrator can choose to hide or delete the harmful item.

  Use this feature to keep your agents and flows safe across your entire organization.

• GitLab Runner 18.7

  We’re also releasing GitLab Runner 18.7 today!

  GitLab Runner is the highly-scalable build agent that runs your CI/CD jobs and sends the results back to a GitLab instance. GitLab Runner works in conjunction with GitLab CI/CD, the open-source continuous integration service included with GitLab.

  What’s New:

  • Configurable taskscaler reservation throttling
  • Enable FF_TIMESTAMPS by default

  Bug Fixes:

  • Shell executor fails on existing Git repository if a relative builds_dir is specified
  • Authentication failure in GitLab Runner 18.6.0 on subsequent pipeline runs (SSH executor)
  • Authentication failure in GitLab Runner 18.6.0 on subsequent pipeline runs (shell executor)
  • Docker 29 API compatibility issues
  • Variables that reference file variables no longer work in GitLab Runner 18.6.0 with the shell executor
  • GitLab Runner now supports Windows 11 2025 (25H2)
  • ECR credential helper is not working with the Docker Autoscaler executor
  • Job timeouts now properly enforced in GitLab Runner

  The list of all changes is in the GitLab Runner CHANGELOG.

Advanced vulnerability management available in Self-Managed and Dedicated environments

Advanced vulnerability management is available to all Ultimate customers and includes the following features:

• Grouping data by OWASP 2021 categories in the vulnerability report for a project or group.
• Filtering based on a vulnerability identifier in the vulnerability report for a project or group.
• Filtering based on the reachability value in the vulnerability report for a project or group.
• Filtering by policy violation bypass reason.

Compliance framework controls show accurate scan status

GitLab compliance controls can be used in compliance frameworks. Controls are checks against the configuration or behavior of projects that are assigned to a compliance framework.

Previously, controls related to scanners (for example, checking if SAST is enabled) required your projects to have a passing pipeline in the default branch before the compliance centre displayed the success or failure status of your controls.

In GitLab 18.7, we have changed this behavior to show whether your controls have succeeded or failed based solely on scan completion, regardless of the overall pipeline status. This helps ease confusion because the compliance status of your controls reflects whether security scans ran and completed, not whether the entire pipeline passed.

Service accounts available during trials on GitLab.com

Service accounts are now available during trial periods, allowing you to test automation and integration workflows before purchasing.

AI agent and flow versioning

When you enable an agent or flow from the AI Catalog in your project, GitLab now pins it to a specific version.

This means your AI-powered workflows stay stable and predictable even as catalog items evolve, so you can test and validate new versions before you upgrade.

Advanced search available for both merge request descriptions and comments

Advanced search now returns matching results from both merge request descriptions and comments. Previously, users had to search merge request descriptions and comments separately.

This improvement provides a more streamlined and comprehensive search workflow for GitLab merge requests.

Data Analyst foundational agent powered by GLQL (Beta)

The Data Analyst Agent is a specialized AI assistant that helps you query, visualize, and surface data across the GitLab platform. It uses GitLab Query Language (GLQL) to retrieve and analyze data, then provides clear, actionable insights about your projects.

You can find example prompts and use cases in the documentation.

This agent is currently in beta status, so please share your thoughts in the feedback issue to help us improve and provide insight into where you’d like to see this go next.

Support for AGENTS.md with GitLab Duo Chat (Agentic) in IDEs

GitLab Duo Chat now supports the AGENTS.md specification, an emerging standard for providing context and instructions to AI coding assistants.

Unlike custom rules that are only available to GitLab Duo, AGENTS.md files are also available for other AI coding tools to use. This makes your build commands, testing instructions, code style guidelines, and project-specific context available to any AI tool that supports the specification.

GitLab Duo Chat in your IDE automatically applies available instructions from AGENTS.md files in your repository, set at the user or workspace level. For monorepos, you can place AGENTS.md files in subdirectories to provide tailored instructions for different components.

Bug fixes, performance improvements, and UI improvements

At GitLab, we’re dedicated to providing the best possible experience for our users. With every release, we work tirelessly to fix bugs, improve performance, and enhance UI. Whether you’re one of the over 1 million users on GitLab.com or using our platform elsewhere, we’re committed to making sure your time with us is smooth and seamless.

Click the links below to see all the bug fixes, performance enhancements, and UI improvements we’ve delivered in 18.7.

Deprecations

New deprecations and the complete list of all features that are currently deprecated can be viewed in the GitLab documentation. To be notified of upcoming breaking changes, subscribe to our Breaking Changes RSS feed.

• Slack slash commands

Removals and breaking changes

The complete list of all removed features can be viewed in the GitLab documentation. To be notified of upcoming breaking changes, subscribe to our Breaking Changes RSS feed.

Changelog

Please check out the changelog to see all the named changes:

• GitLab
• GitLab Runner
• GitLab Workflow for VS Code
• GitLab CLI

Installing

If you are setting up a new GitLab installation please see the download GitLab page.

Updating

Check out our update page.

Questions?

We'd love to hear your thoughts! Visit the GitLab Forum and let us know if you have questions about the release.

GitLab Subscription Plans

• Free
  Free-forever features for individual users
• Premium
  Enhance team productivity and coordination
• Ultimate
  Organization wide security, compliance, and planning

Try all GitLab features - free for 30 days

Original source Report a problem

GitLab Patch Release: 18.6.2, 18.5.4, 18.4.6

Learn more about GitLab Patch Release: 18.6.2, 18.5.4, 18.4.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).
Today, we are releasing versions 18.6.2, 18.5.4, 18.4.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.

Recommended Action

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.

Security fixes

Table of security fixes

• Cross-site scripting issue in Wiki impacts GitLab CE/EE (High)
• Improper encoding in vulnerability reports impacts GitLab CE/EE (High)
• Cross-site scripting issue in Swagger UI impacts GitLab CE/EE (High)
• Denial of service issue in GraphQL endpoints impacts GitLab CE/EE (High)
• Authentication bypass issue for WebAuthn users impacts GitLab CE/EE (Medium)
• Denial of service issue in ExifTool processing impacts GitLab CE/EE (Medium)
• Denial of service issue in Commit API impacts GitLab CE/EE (Medium)
• Information disclosure issue in compliance frameworks impacts GitLab EE (Medium)
• Information disclosure through error messages impacts GitLab CE/EE (Medium)
• HTML injection issue in merge request titles impacts GitLab CE/EE (Low)

Detailed CVE descriptions and impacted versions are provided for each security fix.

Bug fixes

18.6.2

• Backport - Fix gitlab-go build by updating Go download URL
• Update azcopy to v10.31.0 [Backport 18.6]
• Pipeline: Fixup gitlab-base version calculation 18-6 backport
• Backport of registration banner bugfix
• Backport of Ensure LFS imports work correctly with nil revisions
• Backport of 'Fix OAuth for relative path'
• Remove redundant aria roles from recycle scroller (18.6 backport)
• Backport 18-6 Fix Duo Chat test to work with new feedback button UI
• [18.6] CI: bump DOCKER_VERSION to 28.5.2
• Update diff note representation
• Backport of 'Bump test-tooling gem version to 3.1.0'
• Backport MR flaky test fix
• Backport of 'GitHub importer fails to handle rate limits when importing note attachments'
• Backport Fix: Restore branch protection check in cache_suffix_for
• Backport of 'Use Rust parser for tasklist parsing'
• Backport of Fix partition missing error in project_daily_statistics backfill (18.6)
• Backport of 'Add migrations for missing merge_requests indexes for bigint'
• Backport of Make 4XX responses not retriable for attachment downloads 18-6
• Backport of 'Handle 429s during github LFS import'
• 18-6 Stable Bump Container Registry to v4.31.1-gitlab
• Backport Pulp support to 18.6
• [18.6] Revert update to sshd_config mandating stronger algorithms
• [18.6] Fix RHEL 10 not working with SELinux
• Backport Pulp production release jobs to 18.6

18.5.4

• Backport - Fix gitlab-go build by updating Go download URL
• Update azcopy to v10.31.0 [Backport 18.5]
• Pipeline: Fixup gitlab-base version calculation 18-5 backport
• middleware: Ignore non proto endpoints
• Backport of Ensure LFS imports work correctly with nil revisions
• Remove redundant aria roles from recycle scroller (18.5 backport)
• [18.5] CI: bump DOCKER_VERSION to 28.5.2
• Backport of registration banner bugfix
• Update diff note representation
• Backport of Fix partition missing error in project_daily_statistics backfill (18.5)
• Backport of 'GitHub importer fails to handle rate limits when importing note attachments'
• Backport fix: Restore branch protection check in cache_suffix_for
• Backport Make 4XX responses not retriable for attachment downloads 18-5
• Backport Pulp support to 18.5
• Backport Pulp production release jobs to 18.5

18.4.6

• Backport - Fix gitlab-go build by updating Go download URL
• Pipeline: Fixup gitlab-base version calculation 18-4 backport
• [18.4] CI: bump DOCKER_VERSION to 28.5.2
• Backport Fix: Restore branch protection check in cache_suffix_for
• Update diff note representation
• Backport of 'GitHub importer fails to handle rate limits when importing note attachments'
• Backport Make 4XX responses not retriable for attachment downloads 18-4
• Backport of 'Handle 429s during github LFS import'
• Backport Pulp support to 18.4
• Backport Pulp production release jobs to 18.4

Important notes on upgrading

This patch includes database migrations that may impact your upgrade process.
Impact on your installation:
• Single-node instances: This patch will cause downtime during the upgrade as migrations must complete before GitLab can start.
• Multi-node instances: With proper zero-downtime upgrade procedures, this patch can be applied without downtime.

Post-deploy migrations

The following versions include post-deploy migrations that can run after the upgrade:
• 18.6.2
• 18.5.4

To learn more about the impact of upgrades on your installation, see:
• Zero-downtime upgrades for multi-node deployments
• Standard upgrades for single-node installations

Updating

To update GitLab, see the Update page. To update GitLab Runner, see the Updating the Runner page.

Receive Patch Notifications

To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.

GitLab Patch Release: 18.6.2, 18.5.4, 18.4.6 via @gitlab Click to tweet!

Original source Report a problem

GitLab 17.11 release post

Release notes

• 98% complete
• Milestone
• 17.11
• Issues
• 2223
• Open:
• 43
• Closed:
• 2180
• Assets 5
• Source code (zip) Download
• Source code (tar.gz) Download
• Source code (tar.bz2) Download
• Source code (tar) Download
• Other
• GitLab 17.11 release post
• Release notes
• 48 new features
• 3837 total badges
• Configure SAML single sign-on with multiple identity providers in Switchboard (self-managed only) : GitLab Dedicated , Switchboard
• Ultimate
• 13 new features
• 628 total badges
• Open files as context now available on GitLab Duo Self-Hosted Code Suggestions (self-managed only) : Self-Hosted Models
• Select individual models for AI-powered features on GitLab Duo Self-Hosted (self-managed only) : Self-Hosted Models
• Llama 3 models generally available for GitLab Duo Chat and Code Suggestions (self-managed only) : Self-Hosted Models
• More GitLab Duo features now available on GitLab Duo Self-Hosted (self-managed only) : Self-Hosted Models
• GitLab Duo with Amazon Q is generally available (self-managed only) : Code Suggestions
• Application security testing
• Increased rule coverage for secret push protection and pipeline secret detection : Secret Detection
• Static reachability beta with Python support : Software Composition Analysis
• Dynamic analysis support for reflected XSS checks : DAST
• Software supply chain security
• Customize compliance frameworks with requirements and compliance controls : Compliance Management
• Security risk management
• CycloneDX export for the project dependency list : Dependency Management
• Premium
• 12 new features
• 716 total badges
• GitLab Duo Chat now uses Anthropic Claude Sonnet 3.7 : Duo Chat
• Manage multiple conversations in GitLab Duo Chat : Duo Chat
• SAML verification for contribution reassignment when importing to GitLab.com : Importers
• Geo - New replicables view (self-managed only) : Disaster Recovery , Geo-replication
• Plan
• Set work in progress limits by weight : Team Planning
• Epic, issue, and task custom fields : Team Planning
• Create
• Use imported files as context in Code Suggestions : Code Suggestions
• GitLab Eclipse plugin available in beta : Editor Extensions
• Software supply chain security
• Assign projects when creating compliance frameworks : Compliance Management
• Token statistics for service account management : System Access
• Service accounts UI : System Access
• Automated Duo Pro and Duo Enterprise seat assignment : System Access
• Core
• 22 new features
• 2377 total badges
• Kubernetes 1.32 support : Deployment Management
• All auto-disabled webhooks now automatically re-enable : Webhooks
• Ghost user contributions auto-mapped during imports : Importers
• Filter placeholder users in Admin area : Importers
• Placeholder user limits appear in group usage quotas : Importers
• Linux package improvements (self-managed only) : Omnibus Package
• Plan
• Improved wiki sidebar styling : Wiki
• Display last comment as a column in GLQL views : Wiki , Team Planning
• Create
• Extension marketplace for Web IDE on self-managed instances : Web IDE
• Verify
• Improved pipeline graph visualization for failed jobs : Pipeline Composition
• Force-cancel CI/CD jobs stuck in canceling state : Continuous Integration (CI)
• Improved runner management in projects : Fleet Visibility
• GitLab Runner 17.11 : GitLab Runner Core
• CI/CD pipeline inputs : Pipeline Composition

Original source Report a problem

GitLab 17.10 release post

Milestone

99% complete

Issues

2312

Open:
22

•

Closed:
2290

Assets

5

Source code (zip) Download

Source code (tar.gz) Download

Source code (tar.bz2) Download

Source code (tar) Download

Other

GitLab 17.10 release post

Release notes

37 new features

3789 total badges

• Manage multiple conversations in GitLab Duo Chat (SaaS only) : Duo Chat
• Expanded AWS Regions available for GitLab Dedicated failover instances (self-managed only) : GitLab Dedicated , Switchboard
• Ultimate
• 11 new features
• 615 total badges
• Select models for AI-powered features on GitLab Duo Self-Hosted (self-managed only) : Self-Hosted Models
• AI Impact Dashboard available on GitLab Duo Self-Hosted Code Suggestions (self-managed only) : Self-Hosted Models , Value Stream Management , DORA Metrics
• Meta Llama 3 models available for GitLab Duo Self-Hosted Code Suggestions and Chat (self-managed only) : Self-Hosted Models
• Root Cause Analysis available on Gitlab Duo Self-Hosted (self-managed only) : Self-Hosted Models
• Plan
• New insights into GitLab Duo Code Suggestions and GitLab Duo Chat trends : Value Stream Management
• New visualization of DevOps performance with DORA metrics across projects : Value Stream Management , DORA Metrics
• Create
• Duo Code Review available in beta : Code Review Workflow
• Application security testing
• Dependency Scanning support for pub (Dart) package manager : Software Composition Analysis
• Software supply chain security
• Sort access tokens in Credentials Inventory : System Access
• Security risk management
• Handling of needs statements in pipeline execution policies for compliance : Security Policy Management
• Change the severity of a vulnerability : Vulnerability Management
• Premium
• 6 new features
• 704 total badges
• GitLab Duo Chat is now resizable : Duo Chat
• Path exclusions for CODEOWNERS : Source Code Management , Code Review Workflow
• Configurable squash settings in branch rules : Source Code Management , Code Review Workflow
• Package
• Package registry adds audit events : Package Registry
• Software supply chain security
• Enhanced sorting options for access tokens : System Access
• Security risk management
• Store and filter a source value for CI/CD jobs : Security Policy Management
• Monitor
• Pre-deployment opt-out toggle to disable event data sharing : Application Instrumentation

Original source Report a problem