GitLab released patch versions 18.11.1, 18.10.4, and 18.9.6 on April 22, 2026 with critical security fixes.
- •CSRF vulnerability in GraphQL API (CVE-2026-4922, CVSS 8.1) enabling unauthenticated users to execute mutations on behalf of authenticated users
- •XSS in Storybook (CVE-2026-5262, CVSS 8.0) and path traversal in Web IDE (CVE-2026-5816, CVSS 8.0) risking arbitrary JavaScript execution
- •Four Denial of Service vulnerabilities across discussions endpoint, Jira import, notes endpoint, and GraphQL API (CVSS 6.5 each)
- •Access control issues in issue description renderer and project fork API allowing unauthorized information disclosure and permission bypass
This summary was automatically generated by AI based on the original article and may not be fully accurate.
The Hacker News
GitLab