GitLab has released emergency security updates for both Community Edition (CE) and Enterprise Edition (EE), addressing multiple Duo AI, denial‑of‑service, and authorization flaws in recent versions of the platform.
On May 27, 2026, GitLab shipped versions 19.0.1, 18.11.4, and 18.10.7 as security patch releases for self‑managed instances.
These builds fix several vulnerabilities across Duo AI workflow runners, the Wiki component, GraphQL WorkItem APIs, operations, pipelines, and authentication endpoints, and GitLab is urging all administrators to upgrade without delay.
GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take any action.
GitLab Fixes Duo AI, DoS Flaws
The most severe issue is a high‑impact access control flaw in Duo AI workflow runners, tracked as CVE‑2026‑4868, which affects GitLab EE from 18.8 up to but not including 18.10.7, 18.11.4, and 19.0.1.
Under specific conditions, an authenticated user could trigger certain Duo AI workflows to execute under another user’s identity due to improper user identity resolution in the workflow runner logic, with a CVSS 3.1 score of 8.2.
This could enable lateral movement or privilege abuse within AI‑assisted workflows if left unpatched.
GitLab also fixed a denial‑of‑service vulnerability in the Wiki component, tracked as CVE‑2026‑1402, which impacts GitLab CE/EE from 17.1 through unpatched 18.10, 18.11, and 19.0 branches.
Due to insufficient input validation, an authenticated user could craft content that exhausts resources and renders the Wiki unavailable, earning a CVSS score of 6.5.
In parallel, CVE‑2026‑6713 addresses incorrect authorization checks in the GraphQL WorkItem API that could allow unauthenticated users to enumerate private projects under certain conditions, rated 5.3 on the CVSS scale.
Several medium‑severity authorization issues have also been resolved in GitLab EE operations and Duo features.
CVE‑2026‑5296 fixes improper authorization in the Duo Workflows API that could let a developer‑role user bypass flow restrictions when foundational flows are enabled at the group level.
CVE‑2026‑2601 corrects missing authorization checks that could expose sensitive deployment data to developer‑level users.
Additionally, CVE‑2026‑8716 corrects an incorrect name resolution behavior in pipelines that could allow access to CI data from a different ref type.
CVE‑2026‑2710 ensures that blocked Project Access Tokens cannot access private resources via certain authentication endpoints.
All of these flaws are remediated in versions 19.0.1, 18.11.4, and 18.10.7, which also bundle multiple stability and performance backports, including updates to zlib, nginx, Mattermost, Elasticsearch indexer, and GitLab Shell.
The updates do not introduce new database migrations and, in typical multi‑node deployments, can be rolled out without downtime when following GitLab’s zero‑downtime guidance.
Organizations running affected versions are strongly advised to prioritize upgrades, monitor their instances for abuse of Duo AI or Wiki features, and align with GitLab’s published best practices for securing self‑managed deployments.
Uncover Shadow APIs, close OWASP gaps — Join a Free Webinar to secure every API at runtime.
The post GitLab Patches Multiple Duo AI, DoS, and Authorization Flaws in Community and Enterprise Edition appeared first on Cyber Security News.
