What happened
GitLab published a security patch release for self-managed installations:
- 18.10.1
- 18.9.3
- 18.8.7
The release fixes multiple vulnerabilities, including high-severity issues that could allow attackers to trigger unauthorized actions or take GitLab services offline.
Why this matters
If you run self-managed GitLab and have not updated, your instance may still be exposed to:
- Cross-Site Request Forgery (CSRF) in GLQL API (CVE-2026-3857)
- GraphQL denial-of-service risk (CVE-2026-3988)
- Other access-control and injection-related security flaws fixed in this patch cycle
GitLab.com is already patched, but self-managed CE/EE deployments need admin action.
How to check if you’re affected
- Check your GitLab version now
- If you run a version before 18.10.1, 18.9.3, or 18.8.7, treat your instance as affected.
- Confirm deployment type
- This alert is primarily for self-managed GitLab CE/EE environments.
- GitLab.com users do not need to patch manually.
- Review security telemetry
- Inspect recent logs for unusual GraphQL/API request spikes, unexpected state-changing requests, or suspicious admin/session behavior.
- Prioritize patching windows
- Upgrade to a fixed version as soon as possible and verify all nodes (including replicas and runners where relevant) are aligned.
What to do now
- Upgrade immediately to one of the patched versions supported for your deployment line.
- Restrict external access to admin/API surfaces until patching is complete.
- Rotate sensitive tokens if you see suspicious API activity during the unpatched window.
- Document the upgrade in your change log and verify post-upgrade health checks.
Sources
- GitLab Patch Release: 18.10.1, 18.9.3, 18.8.7 (primary)
- Cyber Centre of Canada: GitLab security advisory AV26-276
Bottom line
Self-managed GitLab administrators should treat this as a priority update cycle: patch now, then verify logs and access controls for signs of attempted abuse.