GitLab Patches Multiple Duo AI, DoS, and Authorization Flaws in Community and Enterprise Edition
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
GitLab has released emergency security updates for both Community Edition (CE) and Enterprise Edition (EE), addressing multiple Duo AI, denial\u2011of\u2011service, and authorization flaws in recent versions of the platform.<\/p>\n
On May 27, 2026, GitLab shipped versions 19.0.1, 18.11.4, and 18.10.7 as security patch<\/a> releases for self\u2011managed instances.<\/p>\n These builds fix several vulnerabilities across Duo AI workflow runners, the Wiki component, GraphQL WorkItem APIs, operations, pipelines, and authentication endpoints, and GitLab is urging all administrators to upgrade without delay.<\/p>\n GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take any action.<\/p>\n The most severe issue is a high\u2011impact access control flaw in Duo AI workflow runners, tracked as CVE\u20112026\u20114868, which affects GitLab EE from 18.8 up to but not including 18.10.7, 18.11.4, and 19.0.1.<\/p>\n Under specific conditions, an authenticated user could trigger certain Duo AI workflows to execute under another user\u2019s identity due to improper user identity resolution in the workflow runner logic, with a CVSS 3.1 score of 8.2.<\/p>\n This could enable lateral movement or privilege abuse within AI\u2011assisted workflows if left unpatched.<\/p>\n GitLab also fixed a denial\u2011of\u2011service vulnerability<\/a> in the Wiki component, tracked as CVE\u20112026\u20111402, which impacts GitLab CE\/EE from 17.1 through unpatched 18.10, 18.11, and 19.0 branches.<\/p>\n Due to insufficient input validation, an authenticated user could craft content that exhausts resources and renders the Wiki unavailable, earning a CVSS score of 6.5.<\/p>\n In parallel, CVE\u20112026\u20116713 addresses incorrect authorization checks in the GraphQL<\/a> WorkItem API that could allow unauthenticated users to enumerate private projects under certain conditions, rated 5.3 on the CVSS scale.<\/p>\n Several medium\u2011severity authorization issues have also been resolved in GitLab EE operations and Duo features.<\/p>\n CVE\u20112026\u20115296 fixes improper authorization in the Duo Workflows API that could let a developer\u2011role user bypass flow restrictions when foundational flows are enabled at the group level.<\/p>\n CVE\u20112026\u20112601 corrects missing authorization checks that could expose sensitive deployment<\/a> data to developer\u2011level users.<\/p>\n Additionally, CVE\u20112026\u20118716 corrects an incorrect name resolution behavior in pipelines that could allow access to CI data from a different ref type.<\/p>\n CVE\u20112026\u20112710 ensures that blocked Project Access Tokens cannot access private resources via certain authentication endpoints.<\/p>\n All of these flaws are remediated in versions 19.0.1, 18.11.4, and 18.10.7, which also bundle multiple stability and performance backports, including updates to zlib<\/a>, nginx<\/a>, Mattermost, Elasticsearch indexer, and GitLab Shell.<\/p>\n The updates do not introduce new database migrations and, in typical multi\u2011node deployments, can be rolled out without downtime when following GitLab\u2019s zero\u2011downtime guidance<\/a>.<\/p>\n Organizations running affected versions are strongly advised to prioritize upgrades, monitor their instances for abuse of Duo AI or Wiki features, and align with GitLab\u2019s published best practices for securing self\u2011managed deployments.<\/p>\n Uncover Shadow APIs, close OWASP gaps <\/b>\u2014 Join a Free Webinar<\/a> to secure every API at runtime.<\/strong><\/p>\n The post GitLab Patches Multiple Duo AI, DoS, and Authorization Flaws in Community and Enterprise Edition<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n\nGitLab Fixes Duo AI, DoS<\/strong> Flaws<\/strong>
\n<\/h2>\n