High

GitLab released critical security patches addressing ten vulnerabilities across its Community and Enterprise Edition platforms. Updated versions 18.6.2, 18.5.4, and 18.4.6 resolve multiple high-severity issues, emphasizing the importance of immediate upgrades for self-managed installations. GitLab.com users are already protected, but organizations running older versions remain exposed to potential exploits.

Among the ten vulnerabilities, four are classified as high-severity, five as medium, and one as low-severity. The high-severity flaws include cross-site scripting (XSS) and improper encoding issues in Wiki functionality, vulnerability reports, and Swagger UI, with CVSS scores high. These vulnerabilities could allow attackers to perform unauthorized actions on behalf of other users, presenting significant security risks.

Additional medium-severity issues include an authentication bypass impacting WebAuthn two-factor-authentication users, and three denial-of-service (DoS) vulnerabilities targeting GraphQL endpoints, ExifTool processing, and the Commit API. These could enable unauthenticated attackers to trigger service disruptions or bypass security controls. Lower-severity issues involve information disclosure via error messages and HTML injection in merge request titles, which, while less critical, still require remediation.

The patch process includes database migrations, which may cause downtime for single-node instances, though properly configured multi-node deployments can implement zero-downtime updates. Organizations are strongly advised to prioritize these updates as part of routine security hygiene to mitigate potential exploitation. Detailed version ranges, patch notes, and upgrade instructions are available in the official GitLab release documentation.