Categories: Cyber Security News

GitLab Security Update Patches Multiple Vulnerabilities Allowing Session Hijacks

On April 22, 2026, GitLab released security patch versions 18.11.1, 18.10.4, and 18.9.6 for both Community Edition (CE) and Enterprise Edition (EE), addressing multiple vulnerabilities that could be chained to hijack user sessions, steal tokens, and disrupt GitLab instances.

GitLab.com is already updated, and GitLab Dedicated customers do not need to take action, but all self‑managed deployments are urged to upgrade immediately.

High‑severity bugs enable account‑level impact

The most critical fixes are three high‑severity issues that open the door to session hijacking and token abuse under realistic attack scenarios:

Here’s the formatted table:

CVE ID	Vulnerability	Description	Impact	Affected Versions	CVSS
CVE-2026-4922	GraphQL CSRF (Session Riding)	Insufficient CSRF protection in the GraphQL API allows attackers to trick authenticated users into executing unintended mutations via malicious pages.	Unauthorized state-changing actions (e.g., modifying settings, access tokens).	GitLab CE/EE 17.0 to 18.9.5; 18.10 and 18.11 before patches	8.1 (High)
CVE-2026-5816	Web IDE Path Validation Bug (Arbitrary JS Execution)	Improper path equivalence checks in Web IDE asset handling enable unauthenticated attackers to execute arbitrary JavaScript in user sessions.	Session hijacking, token theft, malicious in-browser actions.	GitLab CE/EE 18.10 and 18.11 before patched builds	8.0 (High)
CVE-2026-5262	XSS in Storybook Dev Environment	Cross-site scripting flaw in Storybook environment allows token exposure via malicious input under certain conditions.	Session takeover, unauthorized API access.	GitLab CE/EE 16.1 to 18.9.5; 18.10 and 18.11 before patches	8.0 (High)

These three issues together significantly raise the risk of account compromise, project tampering, and unauthorized access if left unpatched, especially in internet‑exposed GitLab instances.

The April patches also ship several medium‑ and low‑severity fixes that affect availability and data exposure:

Multiple Denial‑of‑Service (DoS) bugs (CVE‑2025‑0186 in discussions, CVE‑2026‑1660 in Jira import, CVE‑2025‑6016 in notes, CVE‑2025‑3922 in GraphQL) allow authenticated users to exhaust server resources via crafted requests or imports.
CVE‑2026‑6515 – Insufficient session expiration in virtual registry credential validation could let users continue using invalidated or mis‑scoped credentials to access Virtual Registries.
Two access‑control weaknesses (CVE‑2026‑5377 in issue description rendering and CVE‑2025‑9957 in the project fork relationship API) could expose confidential issue titles or bypass group fork prevention in certain conditions.

While these are rated from medium to low severity, they increase the blast radius of a compromise and can aid attackers in persistence, data discovery, or disruption.

All three patch trains (18.11.1, 18.10.4, 18.9.6) include regular database migrations, and 18.11.1/18.10.4 also ship post‑deploy migrations, which can influence downtime planning.

Single‑node deployments will experience downtime while migrations run.
Multi‑node setups can use GitLab’s zero‑downtime upgrade procedures to avoid service interruption.

Beyond security fixes, these releases bring routine bug fixes around search indexing (Zoekt), PostgreSQL updates, Geo improvements, and CI reliability, which further harden stability and performance.

Upgrade immediately to 18.11.1, 18.10.4, or 18.9.6, depending on your supported track.
Treat exposed GitLab instances as high‑value targets: consider forced logouts, token rotation, and reviewing audit logs for suspicious GraphQL, Web IDE, Storybook, and import activity since vulnerable versions were deployed.
Review GitLab’s own security best‑practice guidance for hardening internet‑facing instances and enforcing least privilege on users and access tokens.

With active security vendors already flagging CVE‑2026‑4922 and related bugs in detection feeds, GitLab administrators should assume these issues will be quickly integrated into scanning and exploit toolchains and prioritize patching accordingly.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post GitLab Security Update Patches Multiple Vulnerabilities Allowing Session Hijacks appeared first on Cyber Security News.

Multiple GitLab Vulnerabilities Allow Malicious Prompt Injection and Data Theft

GitLab has released critical security patches addressing nine vulnerabilities across Community Edition (CE) and Enterprise Edition (EE), including a particularly concerning prompt-injection flaw in GitLab Duo that could expose sensitive information from confidential issues. The company is urging all self-managed installations to upgrade immediately to versions 18.5.2, 18.4.4, or 18.3.6.…

November 13, 2025

In "Cyber Security News"

GitLab Releases Security Update to Patch Multiple DoS-Enabling Vulnerabilities

GitLab has released a critical security update addressing several denial-of-service (DoS) vulnerabilities in both Community Edition (CE) and Enterprise Edition (EE). Organizations running self-managed GitLab instances must upgrade immediately to versions 18.4.2, 18.3.4, or 18.2.8 to mitigate potential service disruption. GitLab.com has already been updated, and Dedicated customers are unaffected.…

October 9, 2025

In "Cyber Security News"

Multiple GitLab Vulnerabilities Enables Account Takeover and Stored XSS Exploitation

GitLab has released emergency security patches addressing multiple critical vulnerabilities that could enable attackers to perform account takeovers and execute stored cross-site scripting (XSS) attacks. The patches were released on August 13, 2025, affecting GitLab Community Edition (CE) and Enterprise Edition (EE) across versions 18.2.2, 18.1.4, and 18.0.6. Key Takeaways1.…

August 14, 2025

In "Cyber Security News"

rssfeeds-admin