GitLab product security update advisory

Overview

 

GitLab has released security updates to fix vulnerabilities in its products. Users of affected products are advised to update to the latest version.

 

 

Affected Products

 

CVE-2025-13929

 

GitLab CE/EE versions: 10.0 and above but below 18.7.6
GitLab CE/EE versions: 18.8 and above but below 18.8.6
GitLab CE/EE versions: 18.9 and above but below 18.9.2

 

CVE-2025-14513

 

GitLab CE/EE versions: 16.11 and above but below 18.7.6
GitLab CE/EE versions: 18.8 and above but below 18.7.6
GitLab CE/EE versions: 18.9 and above but below 18.9.2

 

CVE-2026-1069

 

GitLab CE/EE versions: 18.9 and above but below 18.9.2

 

CVE-2026-1090

 

GitLab CE/EE versions: 10.6 and above but below 18.7.6
GitLab CE/EE versions: 18.8 and above but below 18.8.6
GitLab CE/EE versions: 18.9 and above but below 18.9.2

 

 

Resolved Vulnerabilities

 

Denial of service vulnerability in the repository archive endpoint in GitLab CE/EE (CVE-2025-13929)
Denial of Service vulnerability in the Protected Branches API in GitLab CE/EE (CVE-2025-14513)
Denial of Service vulnerability in the GraphQL API in GitLab CE/EE (CVE-2026-1069)
Cross-site scripting vulnerability in Markdown placeholder handling in GitLab CE/EE (CVE-2026-1090)

 

 

Vulnerability Patches

 

Vulnerability patches have been made available in the latest update. Please follow the instructions on the Referenced Sites to update to the latest version of Vulnerability Patches.

 

CVE-2025-13929, CVE-2025-14513, CVE-2026-1069, CVE-2026-1090

 

GitLab CE/EE version: 18.7.6
GitLab CE/EE version: 18.8.6
GitLab CE/EE version: 18.9.2

 

 

References

 

[1] GitLab Patch Release: 18.9.2, 18.8.6, 18.7.6
https://about.gitlab.com/releases/2026/03/11/patch-release-gitlab-18-9-2-released/