GitLab product security update advisory

overview

We have released security updates that address vulnerabilities in GitLab products. users of affected products are encouraged to update to the latest version.

affected products

CVE-2025-12664

GitLab CE/EE Version: 13.0 and above but below 18.8.9
GitLab CE/EE Versions: 18.9 and above but below 18.9.5
GitLab CE/EE Version: 18.10 or later but not earlier than 18.10.3

CVE-2026-1092

GitLab CE/EE Versions: 12.10 and later but not earlier than 18.8.9
GitLab CE/EE Versions: 18.9 and later but not earlier than 18.9.5
GitLab CE/EE Version: 18.10 or later but not earlier than 18.10.3

resolved vulnerabilities

Denial of service vulnerability in the GraphQL API in GitLab CE/EE (CVE-2025-12664)
Denial of service vulnerability in the Terraform state lock API in GitLab CE/EE (CVE-2026-1092)

vulnerability patches

Vulnerability patches have been made available in the latest update. please follow the instructions on the reference site to update to the latest version of the vulnerability patch.

Cve-2025-12664, cve-2026-1092

GitLab CE/EE version: 18.8.9
GitLab CE/EE version: 18.9.5
GitLab CE/EE version: 18.10.3

references

[1] GitLab Patch Release: 18.10.3, 18.9.5, 18.8.9
https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/