News·3 min read

GitLab Patch Release Fixes Affecting CE and EE Installations

GitLab released versions 19.1.2, 19.0.4, and 18.11.7 on July 8, 2026, patching eight vulnerabilities ranging from high to low severity across Community Edition (CE) and Enterprise Edition (EE). The co

CS
CyberShield Team
2026-07-09
Share:
GitLab Patch Release Fixes Affecting CE and EE Installations

GitLab released versions 19.1.2, 19.0.4, and 18.11.7 on July 8, 2026, patching eight vulnerabilities ranging from high to low severity across Community Edition (CE) and Enterprise Edition (EE). The company strongly urges all self-managed installations to upgrade immediately, while GitLab.com and GitLab Dedicated customers require no action, as the fixes are already applied. The most […] The post GitLab Patch Release Fixes Affecting CE and EE Installations appeared first on Cyber Security News.

GitLab released versions 19.1.2, 19.0.4, and 18.11.7 on July 8, 2026, patching eight vulnerabilities ranging from high to low severity across Community Edition (CE) and Enterprise Edition (EE). The company strongly urges all self-managed installations to upgrade immediately, while GitLab.com and GitLab Dedicated customers require no action, as the fixes are already applied. The most critical fix, tracked as CVE-2026-6896, addresses a cross-site scripting flaw in the vulnerability evidence table renderer in GitLab EE. GitLab Patch Release An authenticated developer-level user could exploit improper input sanitization to execute arbitrary scripts in another user’s browser session, carrying a CVSS score of 8.7. A second high-severity issue, CVE-2026-13320, involves HTML injection in wiki markup rendering affecting both CE and EE. This flaw, rated 7.3, similarly stems from insufficient sanitization and could let authenticated users run scripts in another session’s browser. Three medium-severity vulnerabilities round out the notable fixes. CVE-2026-11827 (CVSS 4.9) exposed stored credentials during repository mirroring to maintainer-level users due to weak authorization controls. CVE-2026-8472 (CVSS 4.3) allowed users with minimal access to read metadata for work items in private EE projects due to missing authorization checks. CVE-2026-7492 (CVSS 4.3) allowed unauthenticated users to detect the existence of private projects via commit discussion pages in CE/EE. Four low-severity issues were also patched, including a Git reference ambiguity bug (CVE-2025-12506), two incorrect authorization flaws in EE group settings and compliance violation management (CVE-2026-13151 and CVE-2026-6352), each carrying a CVSS of 2.7 or below. Affected Versions Impacted version ranges vary by CVE but generally span from as early as GitLab 9.1 (for the commit discussion issue) through the 19.1 series before patching. Most vulnerabilities were reported through GitLab’s HackerOne bug bounty program by external researchers, while the group-level settings flaw was discovered internally by a GitLab team member. Bug Fixes and Upgrade GitLab stated that the releases include numerous bug fixes: OAuth application organization ID handling, Go runtime updates to version 1.25.11, fixes for multi-arch container registry tags, ClickHouse compatibility for CI analytics, and corrections to approval rule overrides for merge requests, among others. Administrators should note that this patch includes database migrations. Single-node instances will experience downtime during the upgrade since migrations must complete before GitLab restarts. Versions 19.1.2 and 19.0.4 also include post-deploy migrations that run after the upgrade completes. GitLab recommends reviewing the official update guide before proceeding and reiterates that details of security issues become publicly visible on its issue tracker 90 days after the patching release, per its standard disclosure policy. Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google. The post GitLab Patch Release Fixes Affecting CE and EE Installations appeared first on Cyber Security News.

Share:

Join the Discussion

Comments coming soon. Follow us on social media for real-time discussions.