CVE- 2026-1868 is a critical vulnerability in GitLab’s self-hosted AI Gateway, rated CVSS 9.9, that could allow Denial of Service or, in the worst case, remote code execution on the gateway. The flaw lies in an insecure template expansion issue within the Duo Workflow Service, where user-supplied crafted Duo Agent Platform Flow definitions are not properly sanitised. According to GitLab, an attacker would need authenticated access to the GitLab instance to exploit the flaw.
A successful exploit could enable the attacker to run commands on the underlying server, effectively compromising the gateway. The issue affects self-hosted AI Gateway versions starting from 18.1.6, 18.2.6 and 18.3.1 that are older than the fixed releases. GitLab has released patched versions to cover different release tracks: 18.6.2, 18.7.1 and 18.8.1, and administrators are urged to upgrade immediately, as noted in the advisory.