GitLab product security update advisory

overview

We have released security updates to address vulnerabilities in GitLab products. users of affected products are encouraged to update to the latest version.

affected products

CVE-2026-2995

GitLab EE Version: 15.4 and above but below 18.8.7
GitLab EE Version: 18.9 and above but below 18.9.3
GitLab EE version: 18.10 or later but not earlier than 18.10.1

CVE-2026-3857

GitLab CE/EE Version: 17.0 or later but not earlier than 18.8.7
GitLab CE/EE Version: 18.9 or later but not earlier than 18.9.3
GitLab CE/EE Version: 18.10 or later but not earlier than 18.10.1

CVE-2026-3988

GitLab CE/EE Versions: 18.5 and later but not earlier than 18.8.7
GitLab CE/EE Version: 18.9 or later but not earlier than 18.9.3
GitLab CE/EE Version: 18.10 or later but not earlier than 18.10.1

resolved vulnerabilities

HTML injection vulnerability in GitLab EE (CVE-2026-2995)
Cross-site request forgery vulnerability in the GLQL API in GitLab CE/EE (CVE-2026-3857)
Denial of Service Vulnerability in the GraphQL API in GitLab CE/EE (CVE-2026-3988)

vulnerability patches

Vulnerability patches have been made available in the latest update. please follow the instructions on the reference site to update to the latest version of the vulnerability patch.

CVE-2026-2995

GitLab EE version: 18.8.7
GitLab EE version: 18.9.3
GitLab EE version: 18.10.1

Cve-2026-3857, cve-2026-3988

GitLab CE/EE Version: 18.8.7
GitLab CE/EE version: 18.9.3
GitLab CE/EE version: 18.10.1

references

[1] GitLab Patch Release: 18.10.1, 18.9.3, 18.8.7
https://about.gitlab.com/releases/2026/03/25/patch-release-gitlab-18-10-1-released/