GitLab releases critical security patches for 13 vulnerabilities, urging self-managed users to upgrade immediately to prevent arbitrary code execution and data leaks.
GitLab has released security updates for Community Edition (CE) and Enterprise Edition (EE) addressing 13 vulnerabilities in total. The updates resolve three high-severity defects and seven medium-severity flaws, among others. While the GitLab.com cloud platform has already been updated, these security fixes apply to all self-managed installations. Users are urged to upgrade to GitLab versions 19.1.1, 19.0.3, or 18.11.6 immediately.
The update carried operations to primarily resolve three high-severity vulnerabilities. The first, CVE-2026-10086, is a cross-site scripting (XSS) flaw in GitLab EE resulting from improper sanitisation of user-supplied input, which allowed an authenticated user with developer-level privileges to execute arbitrary client-side code inside other users’ active sessions.
The second, CVE-2026-10712, is an XSS flaw in the Web IDE workbench asset handler that allowed unauthenticated attackers to execute arbitrary JavaScript code within a user’s browser session. The third, CVE-2026-12053, is an information disclosure bug caused by insufficient output filtering in GitLab’s Duo Workflows that could have allowed unauthorised users to view sensitive information already committed to a project.
The updates also patched seven medium-severity defects involving authorisation bypass, incorrect authorisation, improper access control, improper input validation, and insufficient filtering. If left unpatched, exploitation of these flaws could result in settings tampering, content concealment, confidential information disclosure, and the exfiltration of DAST (Dynamic Application Security Testing) site profile secrets.
It could also have leaked sensitive technical data into log files, and resulted in the overwriting of Maven package metadata, exposing the package metadata.
