GitLab GitLab Version Control Server

Known Exploited GitLab Vulnerabilities

The following GitLab vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

The vulnerability CVE-2023-7028: GitLab Community and Enterprise Editions Improper Access Control Vulnerability is in the top 1% of the currently known exploitable vulnerabilities. 2 known exploited GitLab vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.

By the Year

In 2026 there have been 66 vulnerabilities in GitLab with an average score of 6.1 out of ten. Last year, in 2025 GitLab had 162 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in GitLab in 2026 could surpass last years number. Last year, the average CVE base score was greater by 0.02

Recent GitLab Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2026-2370	Mar 29, 2026	GitLab Improper Auth Jira Connect creds leak v14.318.8.6/18.918.9.2 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.3 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 affecting Jira Connect installations that could have allowed an authenticated user with minimal workspace permissions to obtain installation credentials and impersonate the GitLab app due to improper authorization checks.	GitLab
CVE-2025-13078	Mar 25, 2026	GitLab CE/EE <=18.10.1 DoS via excessive webhook config (CVE-2025-13078) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to cause a denial of service due to excessive resource consumption when processing certain webhook configuration inputs.	GitLab
CVE-2025-13436	Mar 25, 2026	GitLab CE/EE before 18.10.1: Authenticated CI Input DoS via Resource Exhaustion GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.7 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to cause a denial of service due to excessive resource consumption when handling certain CI-related inputs.	GitLab
CVE-2025-14595	Mar 25, 2026	GitLab EE <=18.10.1 Improper Access Control (Planner) CVE-2025-14595 GitLab has remediated an issue in GitLab EE affecting all versions from 18.6 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that under certain conditions could have allowed an authenticated user with Planner role to view security category metadata and attributes in group security configuration due to improper access control	GitLab
CVE-2026-1724	Mar 25, 2026	GitLab EE API Token Leak via ACL flaw in 18.5-18.8.7, 18.9-18.9.3, 18.10-18.10.1 GitLab has remediated an issue in GitLab EE affecting all versions from 18.5 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an unauthenticated user to access API tokens of self-hosted AI models due to improper access control.	GitLab
CVE-2026-2745	Mar 25, 2026	GitLab WebAuthn 2FA Bypass (unauth) fixed in 18.8.7/18.9.3/18.10.1 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 7.11 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an unauthenticated user to bypass WebAuthn two-factor authentication and gain unauthorized access to user accounts due to inconsistent input validation in the authentication process.	GitLab
CVE-2026-2726	Mar 25, 2026	GitLab 18.10.1 Auth Bypass in Merge Request Access Control (CVE-2026-2726) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to perform unauthorized actions on merge requests in other projects due to improper access control during cross-repository operations.	GitLab
CVE-2026-2973	Mar 25, 2026	GitLab CE/EE <18.8.7/18.9.3/18.10.1: Auth Hijack XSS via Mermaid Diagrams GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to execute arbitrary JavaScript in a user's browser due to improper sanitization of entity-encoded content in Mermaid diagrams.	GitLab
CVE-2026-2995	Mar 25, 2026	GitLab EE 15.4-18.8.x Auth Email Add via Bad HTML Sanitization GitLab has remediated an issue in GitLab EE affecting all versions from 15.4 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to add email addresses to targeted user accounts due to improper sanitization of HTML content.	GitLab
CVE-2026-3857	Mar 25, 2026	GitLab CE/EE CSRF Enables Arbitrary GraphQL Mutations (v17.1018.10) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an unauthenticated user to execute arbitrary GraphQL mutations on behalf of authenticated users due to insufficient CSRF protection.	GitLab
CVE-2026-3988	Mar 25, 2026	GitLab 18.518.8.7 / 18.918.9.3 / 18.1018.10.1 GraphQL DoS (unauth) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.5 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an unauthenticated user to cause a denial of service by making the GitLab instance unresponsive due to improper input validation in GraphQL request processing.	GitLab
CVE-2026-4363	Mar 25, 2026	GitLab EE Improper Auth Caching (18.118.10.1) Enables Privilege Escalation GitLab has remediated an issue in GitLab EE affecting all versions from 18.1 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that under certain conditions could have allowed an authenticated user to gain unauthorized access to resources due to improper caching of authorization decisions.	GitLab
CVE-2026-1182	Mar 12, 2026	GitLab Unauthorized Issue Title Exposure (<=18.7.5, <=18.8.5, <=18.9.1) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.14 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to gain unauthorized access to confidential issue title created in public projects under certain circumstances.	GitLab
CVE-2025-12555	Mar 11, 2026	GitLab CE/EE auth bypass, pipeline info disclosure <18.7.6/18.8.6/18.9.2 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.1 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that, under certain conditions, could have allowed an authenticated user to access previous pipeline job information on projects with repository and CI/CD disabled due to improper authorization checks.	GitLab
CVE-2025-12576	Mar 11, 2026	GitLab CE/EE Webhook DOs (<18.7.6, <18.8.6, <18.9.2) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.3 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that under certain conditions could have allowed an authenticated user to cause a denial of service due to improper handling of webhook response data.	GitLab
CVE-2025-12697	Mar 11, 2026	GitLab CE/EE <=18.9.2 Exposes Datadog API Credentials (Maintainer Auth) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.5 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user with maintainer-role permissions to reveal Datadog API credentials under certain conditions.	GitLab
CVE-2025-12704	Mar 11, 2026	GitLab EE: Improper Auth to Access Virtual Registry before 18.7.6 / 18.8.6 / 18.9.2 GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to access Virtual Registry data in groups where they are not members due to improper authorization under certain conditions.	GitLab
CVE-2025-13690	Mar 11, 2026	GitLab DoS via webhook custom headers (v16.11-18.9) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to cause a denial of service condition due to improper input validation on webhook custom header names under certain conditions.	GitLab
CVE-2025-13929	Mar 11, 2026	GitLab DoS via archive endpoint requests 10.0-18.9.2 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.0 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a denial of service by issuing specially crafted requests to repository archive endpoints under certain conditions.	GitLab
CVE-2025-14513	Mar 11, 2026	GitLab Unauth DOS via JSON Payloads v18.7.6/18.8.6/18.9.2 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a denial of service condition due to improper input validation when processing specially crafted JSON payloads in the protected branches API.	GitLab
CVE-2026-0602	Mar 11, 2026	GitLab CE/EE Metadata Disclosure via Snippet Rendering (15.6-18.9.2) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to disclose metadata from private issues, merge requests, epics, milestones, or commits due to improper filtering in the snippet rendering process under certain circumstances.	GitLab
CVE-2026-1069	Mar 11, 2026	GitLab GraphQL Recursion DoS (CE/EE) <18.9.2 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a denial of service by sending specially crafted GraphQL requests due to uncontrolled recursion under certain circumstances.	GitLab
CVE-2026-1090	Mar 11, 2026	Authenticated XSS via markdown_placeholders in GitLab CE/EE (v10.618.9.2) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user, when the `markdown_placeholders` feature flag was enabled, to inject JavaScript in a browser due to improper sanitization of placeholder content in markdown processing.	GitLab
CVE-2026-1230	Mar 11, 2026	GitLab CE/EE: Authenticated Repo Download Code Divergence (before 18.9.2) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 1.0 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to cause repository downloads to contain different code than displayed in the web interface due to incorrect validation of branch references under certain circumstances.	GitLab
CVE-2026-1663	Mar 11, 2026	GitLab CE/EE Grp Imp Auth Allows Label Creation in Priv. Projects (v14.418.9) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.4 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user with group import permissions to create labels in private projects due to improper authorization validation in the group import process under certain circumstances.	GitLab
CVE-2026-1732	Mar 11, 2026	GitLab CE/EE Auth Discovery Vulnerability (12.6-18.9.x) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to disclose confidential issue titles due to improper filtering under certain circumstances.	GitLab
CVE-2026-3848	Mar 11, 2026	GitLab CE/EE: Authenticated Proxy Request via Import (18.7.6/18.8.6/18.9.2) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to make unintended internal requests through proxy environments under certain conditions due to improper input validation in import functionality.	GitLab
CVE-2025-14511	Feb 25, 2026	GitLab CE/EE Denial of Service via Registry Event Endpoint (<=18.9.1) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an unauthenticated user to cause denial of service by sending specially crafted files to the container registry event endpoint under certain conditions.	GitLab
CVE-2026-0752	Feb 25, 2026	GitLab CE/EE <18.9.1: Unauth Script Injection via Mermaid UI GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that under certain circumstances, could have allowed an unauthenticated user to inject arbitrary scripts into the Mermaid sandbox UI.	GitLab
CVE-2026-1388	Feb 25, 2026	GitLab CE/EE ReDoS via MR pre 18.9.1 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an unauthenticated user to cause regular expression denial of service by sending specially crafted input to a merge request endpoint under certain conditions.	GitLab
CVE-2026-1662	Feb 25, 2026	GitLab CE/EE Jira Events DoS (18.7.5|18.8.5|18.9.1) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.4 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an unauthenticated user to cause Denial of Service by sending specially crafted requests to the Jira events endpoint.	GitLab
CVE-2026-1747	Feb 25, 2026	GitLab EE <18.7.5/18.8.5/18.9.1: Devs alter protected Conan packages GitLab has remediated an issue in GitLab EE affecting all versions from 17.11 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that, under certain conditions, could have allowed Developer-role users with insufficient privileges to make unauthorized modifications to protected Conan packages.	GitLab
CVE-2026-1725	Feb 25, 2026	GitLab CE/EE: Unauth DoS via CI Jobs API (before 18.9.1) GitLab has remediated an issue in GitLab CE/EE affecting versions from 18.9 before 18.9.1 that could have under certain conditions, allowed an unauthenticated user to cause denial of service by sending specially crafted requests to a CI jobs API endpoint.	GitLab
CVE-2026-2845	Feb 25, 2026	GitLab CE/EE DOS via Bitbucket Import Endpoint (before 18.9.1) An issue has been discovered in GitLab CE/EE affecting all versions from 11.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an authenticated user to cause denial of service by exploiting a Bitbucket Server import endpoint via repeatedly sending large responses.	GitLab
CVE-2025-3525	Feb 25, 2026	GitLab CE/EE DoS via crafted CI API triggers (v9.0 - 18.9.*) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.0 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have, under certain circumstances, allowed an authenticated user with certain access to cause Denial of Service by creating specially crafted CI triggers via the API.	GitLab
CVE-2025-14103	Feb 25, 2026	GitLab CE/EE Unauthorized Pipeline Variable Set for Manual Jobs (v17.7-18.9) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an unauthorized user with Developer-role permissions to set pipeline variables for manually triggered jobs under certain conditions.	GitLab
CVE-2025-7659	Feb 11, 2026	Unauthenticated Token Theft via GitLab Web IDE 18.2-18.8 (pre-18.6.6/18.7.4/18.8.4) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an unauthenticated user to steal tokens and access private repositories by abusing incomplete validation in the Web IDE.	GitLab
CVE-2025-8099	Feb 11, 2026	GitLab CE/EE <18.6.6/18.7.4/18.8.4: Unauth DoS via GraphQL GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.8 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions, could have allowed an unauthenticated user to cause denial of service by sending repeated GraphQL queries.	GitLab
CVE-2025-12073	Feb 11, 2026	GitLab SSRF via Import API (v18.0-18.6.5, v18.7-18.7.3, v18.8-18.8.3) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions, could have allowed an authenticated user to perform server-side request forgery against internal services by bypassing protections in the Git repository import functionality.	GitLab
CVE-2025-12575	Feb 11, 2026	GitLab EE 18.x internal network request flaw before 18.8.4 GitLab has remediated an issue in GitLab EE affecting all versions from 18.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user with certain permissions to make unauthorized requests to internal network services through the GitLab server.	GitLab
CVE-2025-14560	Feb 11, 2026	Unauth Action Exploit in GitLab CE/EE before v18.7.4 via Code Flow Injection GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.1 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to perform unauthorized actions on behalf of another user by injecting malicious content into vulnerability code flow.	GitLab
CVE-2025-14594	Feb 11, 2026	GitLab API Disclosure of Pipeline Values (before 18.6.6/18.7.4/18.8.4) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.11 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to view certain pipeline values by querying the API.	GitLab
CVE-2025-14592	Feb 11, 2026	GitLab Auth PE via GraphQL API (CVE-2025-14592) before 18.6.6/18.7.4/18.8.4 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to perform unauthorized operations by submitting GraphQL mutations through the GLQL API endpoint.	GitLab
CVE-2026-0595	Feb 11, 2026	GitLab CE/EE HTML Injection Allows Unauthorized Email Additions (CVE-2026-0595) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.9 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to add unauthorized email addresses to victim accounts through HTML injection in test case titles.	GitLab
CVE-2026-0958	Feb 11, 2026	GitLab 18.418.6.5/18.718.7.3/18.818.8.3: Unauth DOS via JSON Validation Bypass GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.4 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an unauthenticated user to cause denial of service through memory or CPU exhaustion by bypassing JSON validation middleware limits.	GitLab
CVE-2026-1080	Feb 11, 2026	GitLab EE <=18.6.6 Auth. Access to Private Iterations API GitLab has remediated an issue in GitLab EE affecting all versions from 16.7 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to access iteration data from private descendant groups by querying the iterations API endpoint.	GitLab
CVE-2026-1094	Feb 11, 2026	GitLab CE/EE <18.8.4: Authenticated Devs Hide File Changes via WebUI GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.8 before 18.8.4 that could have allowed an authenticated developer to hide specially crafted file changes from the WebUI.	Gitaly
CVE-2026-1282	Feb 11, 2026	GitLab 18.6-18.8 Authenticated Label Title Injection GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an authenticated user to inject malicious content into project labels titles.	GitLab
CVE-2026-1387	Feb 11, 2026	GitLabEE DoS via Malicious GraphQL File Upload (15.618.6.6, 18.718.7.4, 18.818.8.4) GitLab has remediated an issue in GitLab EE affecting all versions from 15.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an authenticated user to cause Denial of Service by uploading a malicious file and repeatedly querying it through GraphQl.	GitLab
CVE-2026-1456	Feb 11, 2026	GitLab CE/EE 18.7-18.8.4 DoS via Markdown Exponential CPU GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an unauthenticated user to cause denial of service through CPU exhaustion by submitting specially crafted markdown files that trigger exponential processing in markdown preview.	GitLab