GitLab Patches Duo AI, DoS, & Auth Flaws: Upgrade Now

GitLab has released emergency security updates for its Community and Enterprise Editions. These updates address multiple flaws, including issues with Duo AI, denial-of-service, and authorization. GitLab shipped versions 19.0.1, 18.11.4, and 18.10.7 as security patch releases for self-managed instances. These builds fix vulnerabilities across Duo AI workflow runners, the Wiki component, and GraphQL WorkItem APIs. GitLab is urging all administrators to upgrade without delay. GitLab.com already runs the patched version, and GitLab Dedicated customers do not need to take action. The most severe issue is a high-impact access control flaw in Duo AI workflow runners, tracked as CVE-2026-4868. This affects GitLab EE from 18.8 up to but not including 18.10.7, 18.11.4, and 19.0.1. An authenticated user could trigger certain Duo AI workflows to execute under another user’s identity due to improper user identity resolution. This has a CVSS score of 8.2. GitLab also fixed a denial-of-service vulnerability in the Wiki component, tracked as CVE-2026-1402, with a CVSS score of 6.5. This could allow an authenticated user to exhaust resources and render the Wiki unavailable. Organizations running affected versions are strongly advised to prioritize these upgrades to maintain security.