On May 13, 2026, GitLab rolled out emergency security updates to address multiple high-severity flaws.
These bugs could allow attackers to hijack browser sessions or completely crash essential CI/CD pipelines.
If you manage a self-hosted GitLab instance, patching is no longer a scheduled task; it is an immediate crisis response.
The most alarming issues in this release are a series of severe Cross-Site Scripting (XSS) vulnerabilities.
Flaws like CVE-2026-7481 and CVE-2026-5297 allow attackers to inject malicious JavaScript into analytics dashboards and global search fields.
When an unsuspecting developer views these compromised pages, the script executes automatically in their browser.
This gives attackers a silent backdoor to hijack sessions, steal sensitive tokens, or manipulate code repositories under the guise of an authenticated user.
Just as dangerously, GitLab fixed several unauthenticated Denial-of-Service (DoS) vulnerabilities affecting core operations.
CVE-2026-1659 and CVE-2025-14870 are particularly concerning because they require absolutely no authentication to exploit.
By sending a flood of specially crafted payloads to the CI/CD job update API or Duo Workflows API, an anonymous attacker can quickly overwhelm the system.
This effectively paralyzes a development team’s ability to push updates, deploy code, or manage internal workflows.
To help security teams prioritize remediation, GitLab highlighted the most critical vulnerabilities addressed in this patch release.
| CVE | Vulnerability Description | Severity | CVSS Score |
|---|---|---|---|
| CVE-2026-7481 | XSS in Analytics dashboard chart rendering | High | 8.7 |
| CVE-2026-5297 | XSS in global search | High | 8.7 |
| CVE-2026-6073 | XSS in Duo Agent output rendering | High | 8.7 |
| CVE-2026-1659 | Unauthenticated DoS in CI/CD job update API | High | 7.5 |
| CVE-2025-14870 | Unauthenticated DoS in Duo Workflows API | High | 7.5 |
| CVE-2025-14869 | Unauthenticated DoS in internal API endpoints | High | 7.5 |
| CVE-2026-1322 | Improper Authorization in GraphQL token scope | Medium | 6.8 |
Updating your environment is the only reliable way to lock out potential threat actors.
GitLab has already applied these fixes to its cloud-hosted platforms, meaning this threat directly targets self-managed Community Edition (CE) and Enterprise Edition (EE) servers.
Administrators must immediately upgrade their systems to versions 18.11.3, 18.10.6, or 18.9.7 to secure their infrastructure.
When planning your emergency maintenance window, be aware of deployment impacts.
Single-node instances will experience mandatory downtime during the upgrade process because critical database migrations must finish before GitLab can restart.
Fortunately, organizations running multi-node environments can execute zero-downtime upgrades by following standard deployment procedures.
Don’t wait for threat actors to weaponize these flaws; secure your development pipelines today.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
The post Critical GitLab Vulnerabilities Enables XSS and Unauthenticated DoS Attacks appeared first on Cyber Security News.
The Payments Association has appointed Emma Banymandhub as its next CEO. She replaces Ben Agnew,…
Food factory performance is dictated by a unique set of pressures. Even known variables, like…
Zoho Corporation has announced an investment of ₹70 crores (around US$7.3 million) in the Open…
For security reporting, CISOs have to provide their boards with information around risk. For many…
Sony and Marvel have today revealed just a little bit more of Spider-Man: Brand New…
Introducing Rock, Paper, Severed – a dark new horror game for 1-4 players that takes…
This website uses cookies.