Vulnerability Overview
GitLab has released emergency security patches for its Community Edition and Enterprise Edition, addressing a high severity flaw in the Duo AI workflow runners and a denial of service issue in the Wiki component. The patches, versions 19.0.1, 18.11.4, and 18.10.7, were shipped on May 27, 2026, for self managed instances. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take any action.
The most critical fix addresses an access control vulnerability in the Duo AI workflow runners. Under specific conditions, an authenticated user could trigger certain Duo AI workflows to execute under another user’s identity due to improper user identity resolution in the workflow runner logic. This could enable lateral movement or privilege abuse within AI assisted workflows if left unpatched.
Additional Fixes and Impact
GitLab also resolved a denial of service vulnerability in the Wiki component, which impacts versions from 17.1 through unpatched 18.10, 18.11, and 19.0 branches. Due to insufficient input validation, an authenticated user could craft content that exhausts resources and renders the Wiki unavailable. Additionally, a medium severity issue in the GraphQL WorkItem API could allow unauthenticated users to enumerate private projects under certain conditions.
Several other authorization issues have been fixed in GitLab EE operations and Duo features, including improper authorization in the Duo Workflows API that could let a developer role user bypass flow restrictions, missing authorization checks that could expose sensitive deployment data, and incorrect name resolution behavior in pipelines that could allow access to CI data from a different ref type. GitLab is urging all administrators to upgrade without delay.
Source: Cyber Security News
