CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 30, 2026

GitLab Patches Multiple Duo AI, DoS, and Authorization Flaws in Community and Enterprise Edition

Cybersecurity News Archived May 30, 2026 ✓ Full text saved

GitLab has released emergency security updates for both Community Edition (CE) and Enterprise Edition (EE), addressing multiple Duo AI, denial‑of‑service, and authorization flaws in recent versions of the platform. On May 27, 2026, GitLab shipped versions 19.0.1, 18.11.4, and 18.10.7 as security patch releases for self‑managed instances. These builds fix several vulnerabilities across Duo AI […] The post GitLab Patches Multiple Duo AI, DoS, and Authorization Flaws in Community and Enterprise Edi

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News GitLab Patches Multiple Duo AI, DoS, and Authorization Flaws in Community and Enterprise Edition By Abinaya May 30, 2026 GitLab has released emergency security updates for both Community Edition (CE) and Enterprise Edition (EE), addressing multiple Duo AI, denial‑of‑service, and authorization flaws in recent versions of the platform. On May 27, 2026, GitLab shipped versions 19.0.1, 18.11.4, and 18.10.7 as security patch releases for self‑managed instances. These builds fix several vulnerabilities across Duo AI workflow runners, the Wiki component, GraphQL WorkItem APIs, operations, pipelines, and authentication endpoints, and GitLab is urging all administrators to upgrade without delay. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take any action. GitLab Fixes Duo AI, DoS Flaws The most severe issue is a high‑impact access control flaw in Duo AI workflow runners, tracked as CVE‑2026‑4868, which affects GitLab EE from 18.8 up to but not including 18.10.7, 18.11.4, and 19.0.1. Under specific conditions, an authenticated user could trigger certain Duo AI workflows to execute under another user’s identity due to improper user identity resolution in the workflow runner logic, with a CVSS 3.1 score of 8.2. This could enable lateral movement or privilege abuse within AI‑assisted workflows if left unpatched. GitLab also fixed a denial‑of‑service vulnerability in the Wiki component, tracked as CVE‑2026‑1402, which impacts GitLab CE/EE from 17.1 through unpatched 18.10, 18.11, and 19.0 branches. Due to insufficient input validation, an authenticated user could craft content that exhausts resources and renders the Wiki unavailable, earning a CVSS score of 6.5. In parallel, CVE‑2026‑6713 addresses incorrect authorization checks in the GraphQL WorkItem API that could allow unauthenticated users to enumerate private projects under certain conditions, rated 5.3 on the CVSS scale. Several medium‑severity authorization issues have also been resolved in GitLab EE operations and Duo features. CVE‑2026‑5296 fixes improper authorization in the Duo Workflows API that could let a developer‑role user bypass flow restrictions when foundational flows are enabled at the group level. CVE‑2026‑2601 corrects missing authorization checks that could expose sensitive deployment data to developer‑level users. Additionally, CVE‑2026‑8716 corrects an incorrect name resolution behavior in pipelines that could allow access to CI data from a different ref type. CVE‑2026‑2710 ensures that blocked Project Access Tokens cannot access private resources via certain authentication endpoints. All of these flaws are remediated in versions 19.0.1, 18.11.4, and 18.10.7, which also bundle multiple stability and performance backports, including updates to zlib, nginx, Mattermost, Elasticsearch indexer, and GitLab Shell. The updates do not introduce new database migrations and, in typical multi‑node deployments, can be rolled out without downtime when following GitLab’s zero‑downtime guidance. Organizations running affected versions are strongly advised to prioritize upgrades, monitor their instances for abuse of Duo AI or Wiki features, and align with GitLab’s published best practices for securing self‑managed deployments. Uncover Shadow APIs, close OWASP gaps — Join a Free Webinar to secure every API at runtime. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News PyrsistenceSniper – Tool that Detects 117 Persistence Malware Techniques on Windows, Linux, and macOS VaultJacking Attack Steals Entire Google Password Manager Vault With One Captured PIN Windows Server 2016 Domain Controller May Fail with 15-Character Hostname New 7-Zip Vulnerabilities Let Attackers Execute Arbitrary Code and Compromise Systems Anthropic’s Restricted Claude Mythos Moves Toward Public Release via Claude Code and Security Latest News Cyber Security Google Chrome’s Device-Bound Session Credentials Now GA to Block Account Takeovers Cyber Security News GREYVIBE Hackers Leverage ChatGPT and Google Gemini to Fuel Cyberattacks Cyber Security Palo Alto Networks PAN-OS Authentication Vulnerability Bypass Exploited in the Wild Technology Post-quantum cryptography is not the future. It is your current reality.   Cyber Security News Ransomware Uses SYSTEM Scheduled Task to Encrypt Local Drives With Elevated Privileges
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 30, 2026
    Archived
    May 30, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗