GITLAB has released a security update for its Community and Enterprise editions, patching a high-severity Web IDE flaw (CVE-2025-7659) that could allow unauthenticated attackers to steal access tokens and access private repositories. The fix covers versions 18.8.4, 18.7.4, and 18.6.6 and also addresses a total of 13 vulnerabilities, including several that could lead to denial-of-service or token theft.
According to GitLab, the most critical flaw stems from incomplete validation in the Web IDE, meaning an attacker would not need a valid login to exploit the system. In addition to CVE-2025-7659, the release patches CVE-2025-8099 (GraphQL Overload, CVSS 7.5), CVE-2026-0958 (JSON Exhaustion, CVSS 7.5), and the Markdown flaws CVE-2026-1456 and CVE-2026-1458 (both enabling CPU exhaustion).
The update also fixes CVE-2025-14560 (XSS, CVSS 7.3) and CVE-2026-0595 (HTML injection, CVSS 7.3), with administrators urged to upgrade to the stated versions to mitigate risks across DevOps environments.