Skip to main content
Mallory

GitLab Security Update Fixes Web IDE Token Theft and DoS Vulnerabilities

widely-deployed-product-advisoryinternet-facing-service-vulnerabilityidentity-authentication-vulnerabilityendpoint-software-vulnerability
Updated March 21, 2026 at 02:35 PM5 sources
Share:
GitLab Security Update Fixes Web IDE Token Theft and DoS Vulnerabilities

Get Ahead of Threats Like This

Know if you're exposed. Before adversaries strike.

GitLab released security updates for Community Edition (CE) and Enterprise Edition (EE), shipping patched versions 18.8.4, 18.7.4, and 18.6.6 for self-managed deployments (with GitLab.com already remediated). The most severe issue, CVE-2025-7659 (CVSS 8.0), was attributed to incomplete validation in the Web IDE that could allow an unauthenticated attacker to steal access tokens and use them to access private repositories.

The same release also addressed multiple high-severity availability and client-side issues, including CVE-2025-8099 (CVSS 7.5) enabling DoS via repeated/complex GraphQL queries and CVE-2026-0958 (CVSS 7.5) enabling resource exhaustion by bypassing JSON validation middleware limits. Additional fixes included CPU-exhaustion vectors involving specially crafted Markdown processing (e.g., CVE-2026-1456 and CVE-2026-1458) and an XSS issue in code flow functionality (CVE-2025-14560, CVSS 7.3) that could enable malicious script execution in a victim’s browser session.

Timeline

  1. Feb 13, 2026

    Belgium CCB warns of multiple high-criticality GitLab vulnerabilities

    On 2026-02-13, Belgium's Centre for Cybersecurity published an advisory warning about multiple high-criticality vulnerabilities in GitLab CE/EE and calling for immediate patching. This reflects broader government amplification of GitLab's February 10 security release.

  2. Feb 11, 2026

    Canadian Centre for Cyber Security urges users to apply GitLab updates

    On 2026-02-11, the Canadian Centre for Cyber Security issued advisory AV26-114 referencing GitLab's February 10 security advisory. It urged users and administrators to review GitLab's guidance and apply patch versions 18.8.4, 18.7.4, and 18.6.6.

  3. Feb 10, 2026

    GitLab discloses CVE-2025-7659 and other key flaws in advisory

    GitLab's advisory identified CVE-2025-7659 as the most severe issue, a Web IDE incomplete validation flaw that could let an unauthenticated attacker steal access tokens and access private repositories. The advisory also described additional DoS, XSS, HTML injection, and related vulnerabilities, and noted GitLab.com was already patched while some self-managed upgrades may involve database-migration downtime.

  4. Feb 10, 2026

    GitLab releases security patches for CE and EE vulnerabilities

    On 2026-02-10, GitLab published patch releases 18.8.4, 18.7.4, and 18.6.6 for Community Edition and Enterprise Edition, urging self-managed customers to upgrade immediately. The fixes addressed 13 vulnerabilities, including high-severity issues affecting the Web IDE, denial-of-service conditions, XSS, HTML injection, SSRF, and other validation and authorization flaws.

See the full picture in Mallory

Mallory subscribers get deeper analysis on every story, including:

Impact Assessment

Who’s affected and how

Technical Details

Deep-dive technical analysis

Response Recommendations

Actionable next steps for your team

Indicators of Compromise

IPs, domains, hashes, and more

AI Threads

Ask questions and take action on every story

Advanced Filters

Filter by topic, classification, timeframe

Scheduled Alerts

Get matching stories delivered automatically

Related Entities

Vulnerabilities

GitLab CE/EE GraphQL Query Denial of Service (CVE-2025-8099)GitLab CE/EE Code Flow XSS (CVE-2025-14560)GitLab Web IDE token theft and private repository access via incomplete validation (CVE-2025-7659)Unauthorized auction and content deletion in Ultimate WordPress Auction Plugin (CVE-2025-0958)Stored XSS in 3DDashboard of 3DSwymer (CVE-2025-0595)Denial of Service in GitLab CE/EE JSON validation middleware (CVE-2026-0958)GitLab CE/EE Markdown Preview CPU Exhaustion DoS (CVE-2026-1456)HTML injection in GitLab CE/EE test case titles (CVE-2026-0595)Denial of Service in GitLab CE/EE via malicious file upload (CVE-2026-1458)Authenticated DoS via malicious file upload and repeated GraphQL queries in GitLab EE (CVE-2026-1387)GitLab CE/EE WebUI diff parser validation issue allowing hidden file changes (CVE-2026-1094)Authenticated SSRF via Git repository import protection bypass in GitLab CE/EE (CVE-2025-12073)GitLab EE iterations API authorization bypass leading to private descendant group iteration data disclosure (CVE-2026-1080)GitLab EE Authenticated SSRF to Internal Network Services (CVE-2025-12575)GitLab CE/EE pipeline values information disclosure via API query (CVE-2025-14594)Authorization bypass via GraphQL mutations through GitLab GLQL API endpoint (CVE-2025-14592)Content injection in GitLab CE/EE project label titles (CVE-2026-1282)

Organizations

GitLabHackerOneMattermost

Affected Products

Gitlab Community Edition (Ce)Gitlab Enterprise Edition (Ee)Gitlab RunnerMattermostGitlab Community EditionGitlab Enterprise Edition

Sources

belgium ccb security advisories
Warning: Multiple high criticality vulnerabilities in GitLab CC/EE, Patch Immediately! | CCB Safeonweb
February 13, 2026 at 12:00 AM
ca ccs
GitLab security advisory (AV26-114) - Canadian Centre for Cyber Security
February 11, 2026 at 12:53 PM
cyber security news
GitLab Patches Multiple Vulnerabilities That Enables DoS and Cross-site Scripting Attacks
February 11, 2026 at 05:50 AM
security online info
GitLab Patch Alert: High-Severity Web IDE Flaw Exposes Private Repos
February 11, 2026 at 01:58 AM
gitlab releases
GitLab Patch Release: 18.8.4, 18.7.4, 18.6.6 | GitLab
February 10, 2026 at 12:00 AM

Related Stories

GitLab Patches XSS and API Denial-of-Service Vulnerabilities in CE/EE

GitLab Patches XSS and API Denial-of-Service Vulnerabilities in CE/EE

GitLab released security updates for **GitLab Community Edition (CE)** and **Enterprise Edition (EE)**, shipping patched versions **18.9.2**, **18.8.6**, and **18.7.6** to address multiple vulnerabilities affecting self-managed deployments. The Canadian Centre for Cyber Security issued advisory **AV26-222** urging organizations to review GitLab’s upstream advisory and apply the updates for any instances running versions prior to those releases. The update fixes **15 security issues**, including a high-severity **XSS** vulnerability (**CVE-2026-1090**, CVSS 8.7) in Markdown placeholder processing when the relevant feature flag is enabled, which could allow an authenticated attacker to inject malicious JavaScript into a victim’s browser. GitLab also addressed several **denial-of-service** conditions, including issues impacting the **GraphQL API** (resource exhaustion via recursion), repository archive endpoints, and JSON payload validation in the protected branches API; additional fixes include webhook-related DoS risks (e.g., **CVE-2025-13690**, **CVE-2025-12576**) and a **CRLF sequence** handling issue (**CVE-2026-3848**).

1 months ago
GitLab Fixes DoS, Code Injection, and Access Control Flaws in Self-Managed Instances

GitLab Fixes DoS, Code Injection, and Access Control Flaws in Self-Managed Instances

GitLab released security updates for Community Edition and Enterprise Edition in versions **18.10.3**, **18.9.5**, and **18.8.9**, patching multiple vulnerabilities that affect self-managed deployments and urging administrators to upgrade immediately. The fixes address high-severity issues including a websocket access control flaw, denial-of-service conditions, and unintended server-side command execution tied to vulnerabilities such as `CVE-2026-5173`, `CVE-2026-1092`, and `CVE-2025-12664`. The release also resolves medium- and low-severity weaknesses involving code injection, cross-site scripting, GraphQL-related denial of service, CSV import and export handling, authorization bypasses, and information disclosure affecting private projects, protected environments, and custom roles. GitLab said some affected code paths date back to versions as old as 11.3 and 12.10, while **GitLab.com** and **GitLab Dedicated** are already protected; the company added that the patches require no new migrations and can be applied to multi-node deployments without downtime, although Omnibus packages still restart services during updates.

1 weeks ago
GitLab Patches High-Severity 2FA Bypass and DoS Vulnerabilities in CE/EE

GitLab Patches High-Severity 2FA Bypass and DoS Vulnerabilities in CE/EE

GitLab released security updates for self-managed **GitLab Community Edition (CE)** and **Enterprise Edition (EE)** to fix a high-severity **two-factor authentication (2FA) bypass** and multiple **denial-of-service (DoS)** flaws. The most significant issue, **CVE-2026-0723** (CVSS 7.4), is an *unchecked return value* weakness in authentication services that could allow an attacker with knowledge of a victim’s credential/account ID to bypass 2FA by submitting forged device responses. GitLab also patched DoS vulnerabilities affecting unauthenticated and authenticated scenarios, including crafted malformed authentication data against the **Jira Connect** integration (**CVE-2025-13927**), incorrect authorization validation in API endpoints such as the **Releases API** (**CVE-2025-13928**), malformed Wiki documents that bypass cycle detection (**CVE-2025-13335**), and repeated malformed SSH authentication requests (**CVE-2026-1102**). Fixed releases are **18.8.2**, **18.7.2**, and **18.6.4**; GitLab advised administrators to upgrade immediately, noting *GitLab.com* is already patched, while third-party tracking indicated thousands of exposed GitLab CE instances remain online and potentially at risk if unpatched.

1 months ago

Get Ahead of Threats Like This

Mallory continuously monitors global threat intelligence and correlates it with your attack surface. Know if you're exposed. Before adversaries strike.