GitLab Patches Multiple Duo AI, DoS, and Authorization Flaws in Community and Enterprise Edition
Cybersecurity NewsArchived May 30, 2026✓ Full text saved
GitLab has released emergency security updates for both Community Edition (CE) and Enterprise Edition (EE), addressing multiple Duo AI, denial‑of‑service, and authorization flaws in recent versions of the platform. On May 27, 2026, GitLab shipped versions 19.0.1, 18.11.4, and 18.10.7 as security patch releases for self‑managed instances. These builds fix several vulnerabilities across Duo AI […] The post GitLab Patches Multiple Duo AI, DoS, and Authorization Flaws in Community and Enterprise Edi
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
GitLab Patches Multiple Duo AI, DoS, and Authorization Flaws in Community and Enterprise Edition
By Abinaya
May 30, 2026
GitLab has released emergency security updates for both Community Edition (CE) and Enterprise Edition (EE), addressing multiple Duo AI, denial‑of‑service, and authorization flaws in recent versions of the platform.
On May 27, 2026, GitLab shipped versions 19.0.1, 18.11.4, and 18.10.7 as security patch releases for self‑managed instances.
These builds fix several vulnerabilities across Duo AI workflow runners, the Wiki component, GraphQL WorkItem APIs, operations, pipelines, and authentication endpoints, and GitLab is urging all administrators to upgrade without delay.
GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take any action.
GitLab Fixes Duo AI, DoS Flaws
The most severe issue is a high‑impact access control flaw in Duo AI workflow runners, tracked as CVE‑2026‑4868, which affects GitLab EE from 18.8 up to but not including 18.10.7, 18.11.4, and 19.0.1.
Under specific conditions, an authenticated user could trigger certain Duo AI workflows to execute under another user’s identity due to improper user identity resolution in the workflow runner logic, with a CVSS 3.1 score of 8.2.
This could enable lateral movement or privilege abuse within AI‑assisted workflows if left unpatched.
GitLab also fixed a denial‑of‑service vulnerability in the Wiki component, tracked as CVE‑2026‑1402, which impacts GitLab CE/EE from 17.1 through unpatched 18.10, 18.11, and 19.0 branches.
Due to insufficient input validation, an authenticated user could craft content that exhausts resources and renders the Wiki unavailable, earning a CVSS score of 6.5.
In parallel, CVE‑2026‑6713 addresses incorrect authorization checks in the GraphQL WorkItem API that could allow unauthenticated users to enumerate private projects under certain conditions, rated 5.3 on the CVSS scale.
Several medium‑severity authorization issues have also been resolved in GitLab EE operations and Duo features.
CVE‑2026‑5296 fixes improper authorization in the Duo Workflows API that could let a developer‑role user bypass flow restrictions when foundational flows are enabled at the group level.
CVE‑2026‑2601 corrects missing authorization checks that could expose sensitive deployment data to developer‑level users.
Additionally, CVE‑2026‑8716 corrects an incorrect name resolution behavior in pipelines that could allow access to CI data from a different ref type.
CVE‑2026‑2710 ensures that blocked Project Access Tokens cannot access private resources via certain authentication endpoints.
All of these flaws are remediated in versions 19.0.1, 18.11.4, and 18.10.7, which also bundle multiple stability and performance backports, including updates to zlib, nginx, Mattermost, Elasticsearch indexer, and GitLab Shell.
The updates do not introduce new database migrations and, in typical multi‑node deployments, can be rolled out without downtime when following GitLab’s zero‑downtime guidance.
Organizations running affected versions are strongly advised to prioritize upgrades, monitor their instances for abuse of Duo AI or Wiki features, and align with GitLab’s published best practices for securing self‑managed deployments.
Uncover Shadow APIs, close OWASP gaps — Join a Free Webinar to secure every API at runtime.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Abinayahttps://cybersecuritynews.com/
Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.
Trending News
PyrsistenceSniper – Tool that Detects 117 Persistence Malware Techniques on Windows, Linux, and macOS
VaultJacking Attack Steals Entire Google Password Manager Vault With One Captured PIN
Windows Server 2016 Domain Controller May Fail with 15-Character Hostname
New 7-Zip Vulnerabilities Let Attackers Execute Arbitrary Code and Compromise Systems
Anthropic’s Restricted Claude Mythos Moves Toward Public Release via Claude Code and Security
Latest News
Cyber Security
Google Chrome’s Device-Bound Session Credentials Now GA to Block Account Takeovers
Cyber Security News
GREYVIBE Hackers Leverage ChatGPT and Google Gemini to Fuel Cyberattacks
Cyber Security
Palo Alto Networks PAN-OS Authentication Vulnerability Bypass Exploited in the Wild
Technology
Post-quantum cryptography is not the future. It is your current reality.
Cyber Security News
Ransomware Uses SYSTEM Scheduled Task to Encrypt Local Drives With Elevated Privileges