GitLab GitLab Version Control Server

Known Exploited GitLab Vulnerabilities

The following GitLab vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

The vulnerability CVE-2023-7028: GitLab Community and Enterprise Editions Improper Access Control Vulnerability is in the top 1% of the currently known exploitable vulnerabilities.

By the Year

In 2026 there have been 13 vulnerabilities in GitLab with an average score of 6.7 out of ten. Last year, in 2025 GitLab had 162 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in GitLab in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.65.

Recent GitLab Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2025-13928	Jan 22, 2026	GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an unauthenticated user to cause a denial of service condition by exploiting incorrect authorization validation in API endpoints.	GitLab
CVE-2025-13927	Jan 22, 2026	GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.9 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.9 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an unauthenticated user to create a denial of service condition by sending crafted requests with malformed authentication data.	GitLab
CVE-2026-0723	Jan 22, 2026	GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an individual with existing knowledge of a victim's credential ID to bypass two-factor authentication by submitting forged device responses.	GitLab
CVE-2026-1102	Jan 22, 2026	GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.3 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.3 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an unauthenticated user to create a denial of service condition by sending repeated malformed SSH authentication requests.	GitLab
CVE-2025-13335	Jan 22, 2026	GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.1 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.1 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that under certain circumstances could have allowed an authenticated user to create a denial of service condition by configuring malformed Wiki documents that bypass cycle detection.	GitLab
CVE-2025-11224	Jan 14, 2026	GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.10 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.10 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to execute stored cross-site scripting through improper input validation in the Kubernetes proxy functionality.	GitLab
CVE-2025-3950	Jan 09, 2026	GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed a user to leak certain information by referencing specially crafted images that bypass asset proxy protection.	GitLab
CVE-2025-9222	Jan 09, 2026	GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2.2 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2.2 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to achieve stored cross-site scripting by exploiting GitLab Flavored Markdown.	GitLab
CVE-2025-10569	Jan 09, 2026	GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to create a denial of service condition by providing crafted responses to external API calls.	GitLab
CVE-2025-11246	Jan 09, 2026	GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user with specific permissions to remove all project runners from unrelated projects by manipulating GraphQL runner associations.	GitLab
CVE-2025-13772	Jan 09, 2026	GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to access and utilize AI model settings from unauthorized namespaces by manipulating namespace identifiers in API requests.	GitLab
CVE-2025-13761	Jan 09, 2026	GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.3, and 18.7 before 18.7.1 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an unauthenticated user to execute arbitrary code in the context of an authenticated user's browser by convincing the legitimate user to visit a specially crafted webpage.	GitLab
CVE-2025-13781	Jan 09, 2026	GitLab has remediated an issue in GitLab EE affecting all versions from 18.5 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 GitLab has remediated an issue in GitLab EE affecting all versions from 18.5 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to modify instance-wide AI feature provider settings by exploiting missing authorization checks in GraphQL mutations.	GitLab
CVE-2025-12029	Dec 11, 2025	GitLab < 18.4.6 / 18.5.4 / 18.6.2 - Swagger UI External Script Injection GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.11 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have, under certain circumstances, allowed an unauthenticated user to perform unauthorized actions on behalf of another user by injecting malicious external scripts into the Swagger UI."	GitLab
CVE-2025-12734	Dec 11, 2025	GitLab CE/EE Merge Request Title Leak (18.4.6, 18.5.4, 18.6.2) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.6 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to, under certain conditions, render content in dialogs to other users by injecting malicious HTML content into merge request titles.	GitLab
CVE-2025-4097	Dec 11, 2025	GitLab CE/EE DoS via Authenticated Image Upload before 18.4.6/18.5.4/18.6.2 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to cause a denial of service condition by uploading specially crafted images.	GitLab
CVE-2025-8405	Dec 11, 2025	GitLab CE/EE Authenticated XSS 17.1-18.6.2 Unauthorized Actions GitLab has remediated a security issue in GitLab CE/EE affecting all versions from 17.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to perform unauthorized actions on behalf of other users by injecting malicious HTML into vulnerability code flow displays.	GitLab
CVE-2025-11247	Dec 11, 2025	GitLab EE: Authenticated GQL Disclosure (v13.218.6.1) GitLab has remediated an issue in GitLab EE affecting all versions from 13.2 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to disclose sensitive information from private projects by executing specifically crafted GraphQL queries.	GitLab
CVE-2025-11984	Dec 11, 2025	GitLab WebAuthn 2FA Bypass via Session Manipulation v13-18.4.5/18.5-18.5.3/18.6-18.6.1 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to bypass WebAuthn two-factor authentication by manipulating the session state under certain conditions.	GitLab
CVE-2025-12562	Dec 11, 2025	DOS via GraphQL Complexity Bypass in GitLab CE/EE 11.10-18.6 pre-18.4.6 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an unauthenticated user to create a denial of service condition by sending crafted GraphQL queries that bypass query complexity limits.	GitLab
CVE-2025-12716	Dec 11, 2025	GitLab CE/EE Wiki Auth Escalation 18.418.6 (pre18.4.6/18.5.4/18.6.2) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.4 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that, under certain conditions could have allowed an authenticated user to perform unauthorized actions on behalf of another user by creating wiki pages with malicious content.	GitLab
CVE-2025-13978	Dec 11, 2025	GitLab API Private Project Name Disclosure (v17.518.6.2) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.5 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to discover the names of private projects they do not have access through API requests.	GitLab
CVE-2025-14157	Dec 11, 2025	GitLab CE/EE DoS via API Calls in v6.318.x fixed in 18.4.6, 18.5.4, 18.6.2 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 6.3 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to cause a Denial of Service condition by sending crafted API calls with large content parameters.	GitLab
CVE-2024-9183	Dec 05, 2025	GitLab CE/EE < 18.4.5 Credential Leak via Authenticated Access (CVE-2024-9183) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.4 prior to 18.4.5, 18.5 prior to 18.5.3, and 18.6 prior to 18.6.1 that could have allowed an authenticated user to obtain credentials from higher-privileged users and perform actions in their context under specific conditions.	GitLab
CVE-2025-6195	Nov 26, 2025	Info Disclosure via Security Reports in GitLab EE pre-18.4.5/18.5.3/18.6.1 GitLab has remediated an issue in GitLab EE affecting all versions from 13.7 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an authenticated user to view information from security reports under certain configuration conditions.	GitLab
CVE-2025-7449	Nov 26, 2025	GitLab CE/EE DoS via HTTP response (auth) pre-18.4.5/18.5.3/18.6.1 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an authenticated user with specific permissions to cause a denial of service condition through HTTP response processing.	GitLab
CVE-2025-12571	Nov 26, 2025	GitLab CE/EE Denial of Service via Malicious JSON (Unauthenticated Exploit) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an unauthenticated user to cause a Denial of Service condition by sending specifically crafted requests containing malicious JSON payloads.	GitLab
CVE-2025-12653	Nov 26, 2025	GitLab CE/EE Unauth Org Join via Header Manipulation (pre18.6.1) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.3 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that under specific conditions could have allowed an unauthenticated user to join arbitrary organizations by changing headers on some requests.	GitLab
CVE-2025-13611	Nov 26, 2025	GitLab CE/EE Log Auth Token Leak (v13.2-18.4.5, 18.5-18.5.3, 18.6-18.6.1) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.2 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an authenticated user with access to certain logs to obtain sensitive tokens under specific conditions.	GitLab
CVE-2025-9825	Nov 21, 2025	GitLab GraphQL API: Unauthorized View of CI/CD Vars (13.7-18.3.3, 18.4-18.4.1) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.7 to 18.2.8, 18.3 before 18.3.4, and 18.4 before 18.4.2 that could have allowed authenticated users without project membership to view sensitive manual CI/CD variables by querying the GraphQL API.	GitLab
CVE-2025-12983	Nov 15, 2025	GitLab CE/EE: Authenticated DoS via Nested Markdown (pre18.4.4) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.9 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker to cause a denial of service condition by submitting specially crafted markdown content with nested formatting patterns.	GitLab
CVE-2025-2615	Nov 15, 2025	GitLab GraphQL WebSocket info leak CVE-2025-2615 (18.3.6, 18.4.4, 18.5.2) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.7 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2, that could have allowed a blocked user to access sensitive information by establishing GraphQL subscriptions through WebSocket connections.	GitLab
CVE-2025-6945	Nov 15, 2025	GitLab EE Info Leak via MR Comment Prompts (17.8-<18.3.6, 18.4-<18.4.4, 18.5-<18.5.2) GitLab has remediated an issue in GitLab EE affecting all versions from 17.8 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker to leak sensitive information from confidential issues by injecting hidden prompts into merge request comments.	GitLab
CVE-2025-6171	Nov 15, 2025	GitLab CE/EE Reporter Privilege Leak via Packages API v13.2-18.5.1 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.2 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker with reporter access to view branch names and pipeline details by accessing the packages API endpoint even when repository access was disabled.	GitLab
CVE-2025-7000	Nov 15, 2025	GitLab CE/EE Branch Name Disclosure (17.618.5.x, pre18.3.6, pre18.4.4, pre18.5.2) An issue has been discovered in GitLab CE/EE affecting all versions from 17.6 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2, that, under specific conditions, could have allowed unauthorized users to view confidential branch names by accessing project issues with related merge requests.	GitLab
CVE-2025-7736	Nov 15, 2025	GitLab CE/EE Auth Bypass via OAuth (17.918.5.x) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.9 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker to bypass access control restrictions and view GitLab Pages content intended only for project members by authenticating through OAuth providers.	GitLab
CVE-2025-11865	Nov 15, 2025	GitLab EE Before 18.3.6/18.4.4/18.5.2: Remote Removal of Duo Flows An issue has been discovered in GitLab EE affecting all versions from 18.1 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that, under certain circumstances, could have allowed an attacker to remove Duo flows of another user.	GitLab
CVE-2025-11990	Nov 15, 2025	GitLab EE CSRF token leak via repo refs (18.4<18.4.4,18.5<18.5.2) GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to gain CSRF tokens by exploiting improper input validation in repository references combined with redirect handling weaknesses.	GitLab
CVE-2025-11702	Oct 29, 2025	Auth Hijack of Project Runners in GitLab EE <18.3.5/18.4.3/18.5.1 GitLab has remediated an issue in EE affecting all versions from 17.1 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an authenticated attacker with specific permissions to hijack project runners from other projects.	GitLab
CVE-2025-6601	Oct 27, 2025	GitLab EE 18.4/18.5: Authenticated users get unauthorized project access via approval workflow GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.4.3, and 18.5 before 18.5.1 that under certain conditions could have allowed authenticated users to gain unauthorized project access by exploiting the access request approval workflow.	GitLab
CVE-2025-10497	Oct 27, 2025	GitLab CE/EE DoS via crafted payloads before 18.5.1 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an unauthenticated attacker to cause a denial of service condition by sending specially crafted payloads.	GitLab
CVE-2025-11971	Oct 27, 2025	GitLab EE V10.6-18.5.0 Unauthorized Pipeline Exec (CVE-2025-11971) GitLab has remediated an issue in GitLab EE affecting all versions from 10.6 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an authenticated attacker to trigger unauthorized pipeline executions by manipulating commits.	GitLab
CVE-2025-11974	Oct 27, 2025	GitLab Denial of Service via Large File Upload - Fixed in 18.3.5, 18.4.3, 18.5.1 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.7 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an unauthenticated attacker to create a denial of service condition by uploading large files to specific API endpoints.	GitLab
CVE-2025-11447	Oct 27, 2025	GitLab CE/EE <18.3.5/18.4.3/18.5.1: Unauth GraphQL DDOS via crafted JSON GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.0 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an unauthenticated attacker to cause a denial of service condition by sending GraphQL requests with crafted JSON payloads.	GitLab
CVE-2025-11989	Oct 26, 2025	GitLab EE: Unauthorized Quick Actions via Malicious Commands v17.6.0-18.5.1 GitLab has remediated an issue in GitLab EE affecting all versions from 17.6.0 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an authenticated attacker to execute unauthorized quick actions by including malicious commands in specific descriptions.	GitLab
CVE-2025-10004	Oct 09, 2025	GitLab GraphQL Large-Blob Query DoS (CE/EE 13.1218.4.x) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.12 to 18.2.8, 18.3 to 18.3.4, and 18.4 to 18.4.2 that could make the GitLab instance unresponsive or severely degraded by sending crafted GraphQL queries requesting large repository blobs.	GitLab
CVE-2025-11340	Oct 09, 2025	GitLab EE 18.318.4.2: Authenticated Read-Only API Tokens Exploit GraphQL GitLab has remediated an issue in GitLab EE affecting all versions from 18.3 to 18.3.4, 18.4 to 18.4.2 that, under certain conditions, could have allowed authenticated users with read-only API tokens to perform unauthorized write operations on vulnerability records by exploiting incorrectly scoped GraphQL mutations.	GitLab
CVE-2025-2934	Oct 09, 2025	GitLab CE/EE 18.4.2 Authenticated DoS via Malicious Webhook GitLab has remediated an issue in GitLab CE/EE affecting all versions from 5.2 prior to 18.2.8, 18.3 prior to 18.3.4, and 18.4 prior to 18.4.2 that could have allowed an authenticated attacker to create a denial of service condition by configuring malicious webhook endpoints that send crafted HTTP responses.	GitLab
CVE-2025-8014	Sep 27, 2025	GitLab Denial of Service via GraphQL Complexity Limits (v<18.2.7/18.3.3/18.4.1) Denial of Service issue in GraphQL endpoints in Gitlab EE/CE affecting all versions from 11.10 prior to 18.2.7, 18.3 prior to 18.3.3, and 18.4 prior to 18.4.1 allows unauthenticated users to potentially bypass query complexity limits leading to resource exhaustion and service disruption.	GitLab
CVE-2025-11042	Sep 26, 2025	GitLab CE/EE 17.218.4 GraphQL CPU DoS Vulnerability An issue was discovered in GitLab CE/EE affecting all versions starting from 17.2 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1, that allows an attacker to cause uncontrolled CPU consumption, potentially leading to a Denial of Service (DoS) condition while using specific GraphQL queries.	GitLab