Security Advisory - Published 2026-06-12 - GitLab
GitLab 19.0.2 patch release: four CVEs to check on self-managed instances
The June GitLab patch release matters most for self-managed instances that expose the API publicly, use Group SAML, or let developer users work with Analytics Dashboards. Upgrade first, then review group identity and high-privilege activity.
What to patch
| CVE | Area | Who should care | Fixed versions |
|---|---|---|---|
| CVE-2026-7250 | API parsing | Internet-facing GitLab CE/EE | 18.10.8, 18.11.5, 19.0.2 |
| CVE-2026-6552 | Group SAML identity management | GitLab EE with SAML groups | 18.10.8, 18.11.5, 19.0.2 |
| CVE-2026-10087 | Analytics Dashboard | GitLab EE with developer users | 18.10.8, 18.11.5, 19.0.2 |
| CVE-2026-8589 | Group setting fields | GitLab EE groups with delegated admins | 18.10.8, 18.11.5, 19.0.2 |
Version and exposure checks
sudo gitlab-rake gitlab:env:info
sudo gitlab-ctl status
sudo gitlab-ctl tail gitlab-rails | grep -Ei "api|saml|analytics|group" If your instance is below the fixed line, schedule the patch window before changing configuration. For internet-facing GitLab, check API error spikes and request volume around the disclosure window.
Post-patch review
- Review group Owner activity, SAML identity changes, and membership changes.
- Check whether unexpected email addresses were added to high-value accounts.
- Review Analytics Dashboard edits and developer-role activity in sensitive projects.
- Confirm backups completed before upgrade and background migrations are healthy after upgrade.
Ping7 repair path
Ping7 can review version state, upgrade readiness, SAML group exposure, high-privilege account changes, and suspicious GitLab logs. Use CVE Repair if your GitLab instance is public or manages production deployment secrets.