—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple Vulnerabilities in Gitlab 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Software Affected

Gitlab Versions prior to 18.8.2, 18.7.2 and 18.6.4 for GitLab Community Edition (CE) and Enterprise Edition (EE)

Overview

Multiple vulnerabilities have been reported in GitLab that could be exploited by an attacker to bypass authentication and cause denial of service conditions on targeted system.

Target Audience:

All organizations and individuals using Gitlab.

Risk Assessment:

Risk of cross site scripting attacks, remote code execution, authentication bypass, privilege escalation, unauthorized access, data manipulation, session compromise and disruption of services.

Impact Assessment:

Potential for sensitive data theft, confidential information disclosure, system compromise, loss of data integrity and denial-of-service impacting business operations.

Description

GitLab is a web-based DevOps platform that provides tools for software development, including source code management, continuous integration and continuous deployment. It is available in both open-source Community Edition (CE) and Enterprise Edition (EE) versions.

Multiple vulnerabilities exist in the GitLab due to improper input validation, incorrect authorization checks, unchecked return values, and insufficient safeguards against malformed or repeated requests across multiple components. An attacker could exploit these vulnerabilities by sending specially crafted requests to the targeted system.

Successful exploitation of these vulnerabilities could allow an attacker to bypass security restrictions, cause denial of service conditions or conduct session hijacking on the target.

Solution

Apply appropriate updates as mentioned:

https://about.gitlab.com/releases/2026/01/21/patch-release-gitlab-18-8-2-released/

Vendor Information

Gitlab

https://about.gitlab.com/

References

 

https://about.gitlab.com/releases/2026/01/21/patch-release-gitlab-18-8-2-released/

CVE Name

CVE-2025-13927

CVE-2025-13928

CVE-2026-0723

CVE-2025-13335

CVE-2026-1102

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAml8zHEACgkQ3jCgcSdc

ys8blxAAozlYGD9ntuWFvLdUMh++j62aIPQd9rbf6NI2KsYHRzpodQIhUa1xYlCA

Hfpy7W9DvrdzUZvzE8zafcgfflR8rOo/F1u6FWX+srMa8GPWhUsJCOiuV8LJZEsi

8lzU/C+BtAX2JzsoAHmxM2Qb5VdHVbPbSjNPOQwgffdPwCXOlDLxJb4M/RCBLq+R

vYCcMTCliOcdgb2lwBdnRHI78FuAvfcJRH/qcMPTNFnX2YkUWNspCmjqA5T/lzvX

B9SxgOHauwPk+QHEwp602QJEXnn7avQig/c4g0Pt/XJMaH4+Kjz613XxfCm9s3dc

0NloEuFO6X9gqt0WqBA8TItTLaecyNBLcmQSTrBWEuQ6gsmMILEMxiqRxJOVn5Y0

J6wf9l/Q2g1u6QrpNM0cHE8MPhQwoKWtAtMwK+XXw/z9hBh5hnLYd6HHJwqKpdoa

TDkT1ecCYMTch9KQRabm0ASFeATLuenxqLFR9FRYSpcINdJP6nsdR1m/hrC+GTYY

aveJeWaQueIN7/vyldOCNP3aqkfOC+Ww88zxt8yA5BpXdcQKmJHl06ne4SZk390X

fwuW8prxVotyPDrRExH2Ske9sGwulzjVmbXrAQaop2SohZa8amUiABWM/W3HxKHx

y3WV+iL+zkm+MqFQmiQF70fdy6eoo3roG/otJAMHmF6G7uSFmjM=

=yW7h

—–END PGP SIGNATURE—–