—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple Vulnerabilities in GitLab

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Software Affected

GitLab Community Edition (CE) and Enterprise Edition (EE) versions prior to 18.9.7, 18.10.6, and 18.11.3

Overview

Multiple vulnerabilities have been reported in GitLab CE/EE which could allow an attacker to execute arbitrary code, cause denial of service (DoS) condition, bypass security restrictions and gain access to sensitive information on the targeted system.

Target Audience:

Organizations and individuals using GitLab CE/EE instances.

Risk Assessment:

High risk of full system compromise, system instability and sensitive information disclosure.

Impact Assessment:

Potential for unauthorized access and full system compromise.

Description

GitLab is a web-based DevOps platform that provides tools for software developments, including source code management, continuous integration and continuous deployment. It is available in both open-source Community Edition (CE) and Enterprise Edition (EE) versions.

These vulnerabilities exist in the GitLab Community Edition (CE) and Enterprise Edition (EE) due to improper input validation, improper authorization checks, missing CSRF protections, and inadequate access control mechanisms in various components. An attacker could exploit these vulnerabilities by sending specially crafted requests.

Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code, cause denial of service (DoS) condition, bypass security restrictions and gain access to sensitive information on the targeted system.

Solution

Apply appropriate updates as mentioned by the vendor:

https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-11-3-released/

Vendor Information

GitLab

https://docs.gitlab.com/releases/patches/

References

 

https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-11-3-released/

CVE Name

CVE-2025-12669

CVE-2025-13874

CVE-2025-14869

CVE-2025-14870

CVE-2026-1184

CVE-2026-1322

CVE-2026-1338

CVE-2026-1659

CVE-2026-2900

CVE-2026-3073

CVE-2026-3074

CVE-2026-3160

CVE-2026-3607

CVE-2026-4524

CVE-2026-4527

CVE-2026-5297

CVE-2026-6063

CVE-2026-6073

CVE-2026-6335

CVE-2026-6883

CVE-2026-7377

CVE-2026-7471

CVE-2026-7481

CVE-2026-8144

CVE-2026-8280

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQJPBAEBCAA5FiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmoRro0bFIAAAAAABAAO

bWFudTIsMi41KzEuMTIsMiwxAAoJEN4woHEnXMrPvggQAKY5jag5J4jvq0Ule9xN

e6vGX4GaDJ+Cb2oP0jdee74l/Wux3hCoy7s9DPEzAx39TnGk4vaA+kyr5OP1YsZ8

9ad636RJwtzEP+yd5PLq9/xPaDoVZSoQtpwZKBdSZvc/gLEgnBgt/oUlEG0AGzxb

eqst9cr1ce82BWQFEMd5D7sTk0adxhHYduHacJk4nNB/+FPzWsCMih4wRizft23E

TYKDZkot58omfWrWAVzGwFRbANf6DAmwlTDXzngegnH4FZlIbZq+QMH2nQkGt1LI

enRz/IU+JCHnDs4/bDU5vPmNqT6M27A7/7FQrQOmbIGX7Tex7LNEuXPYN5YaRP1D

7WvnSqlqOAiaH6PS+ugF+p2N7A8pjSbeK3nj0JuvVdsWJWpi4YJ1fqkT3/2WjMoX

v884cfe+TROYGMUgej1lP9Gzcpb37K0GGvuFmJOTVuHajsiLPeisk7Go3czLWPHf

t5PI6h47RtP5nyj7GF5tO7i/GInIg5sGBWkgPo4xWNHORCv/9xzp2gi/QVAbEVuH

F8F3MKezEmSLyitBmIS4X4eUq5h1z1FYzBONnT0glvt2lpMx0IQUN0D96UPR+T4j

+AoFX22SW7nD+5FUew7W5U8Fkd39G7bj44Tfol78jFz1+ciVPVcxL43EpC7xlcHU

qQI+zzaRwgOvQ0jI5hXwKqo3

=IASO

—–END PGP SIGNATURE—–