By rssfeeds-admin GitLab.com is already updated, and GitLab Dedicated customers do not need to take action, but all self‑managed deployments are urged to upgrade immediately.
High‑severity bugs enable account‑level impact
The most critical fixes are three high‑severity issues that open the door to session hijacking and token abuse under realistic attack scenarios:
Here’s the formatted table:
| CVE ID | Vulnerability | Description | Impact | Affected Versions | CVSS |
|---|---|---|---|---|---|
| CVE-2026-4922 | GraphQL CSRF (Session Riding) | Insufficient CSRF protection in the GraphQL API allows attackers to trick authenticated users into executing unintended mutations via malicious pages. | Unauthorized state-changing actions (e.g., modifying settings, access tokens). | GitLab CE/EE 17.0 to 18.9.5; 18.10 and 18.11 before patches | 8.1 (High) |
| CVE-2026-5816 | Web IDE Path Validation Bug (Arbitrary JS Execution) | Improper path equivalence checks in Web IDE asset handling enable unauthenticated attackers to execute arbitrary JavaScript in user sessions. | Session hijacking, token theft, malicious in-browser actions. | GitLab CE/EE 18.10 and 18.11 before patched builds | 8.0 (High) |
| CVE-2026-5262 | XSS in Storybook Dev Environment | Cross-site scripting flaw in Storybook environment allows token exposure via malicious input under certain conditions. | Session takeover, unauthorized API access. | GitLab CE/EE 16.1 to 18.9.5; 18.10 and 18.11 before patches | 8.0 (High) |
These three issues together significantly raise the risk of account compromise, project tampering, and unauthorized access if left unpatched, especially in internet‑exposed GitLab instances.
The April patches also ship several medium‑ and low‑severity fixes that affect availability and data exposure:
- Multiple Denial‑of‑Service (DoS) bugs (CVE‑2025‑0186 in discussions, CVE‑2026‑1660 in Jira import, CVE‑2025‑6016 in notes, CVE‑2025‑3922 in GraphQL) allow authenticated users to exhaust server resources via crafted requests or imports.
- CVE‑2026‑6515 – Insufficient session expiration in virtual registry credential validation could let users continue using invalidated or mis‑scoped credentials to access Virtual Registries.
- Two access‑control weaknesses (CVE‑2026‑5377 in issue description rendering and CVE‑2025‑9957 in the project fork relationship API) could expose confidential issue titles or bypass group fork prevention in certain conditions.
While these are rated from medium to low severity, they increase the blast radius of a compromise and can aid attackers in persistence, data discovery, or disruption.
All three patch trains (18.11.1, 18.10.4, 18.9.6) include regular database migrations, and 18.11.1/18.10.4 also ship post‑deploy migrations, which can influence downtime planning.
- Single‑node deployments will experience downtime while migrations run.
- Multi‑node setups can use GitLab’s zero‑downtime upgrade procedures to avoid service interruption.
Beyond security fixes, these releases bring routine bug fixes around search indexing (Zoekt), PostgreSQL updates, Geo improvements, and CI reliability, which further harden stability and performance.
- Upgrade immediately to 18.11.1, 18.10.4, or 18.9.6, depending on your supported track.
- Treat exposed GitLab instances as high‑value targets: consider forced logouts, token rotation, and reviewing audit logs for suspicious GraphQL, Web IDE, Storybook, and import activity since vulnerable versions were deployed.
- Review GitLab’s own security best‑practice guidance for hardening internet‑facing instances and enforcing least privilege on users and access tokens.
With active security vendors already flagging CVE‑2026‑4922 and related bugs in detection feeds, GitLab administrators should assume these issues will be quickly integrated into scanning and exploit toolchains and prioritize patching accordingly.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post GitLab Security Update Patches Multiple Vulnerabilities Allowing Session Hijacks appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.