Security Advisory - Published 2026-06-12 - GitLab

GitLab 19.0.2 patch release: four CVEs to check on self-managed instances

The June GitLab patch release matters most for self-managed instances that expose the API publicly, use Group SAML, or let developer users work with Analytics Dashboards. Upgrade first, then review group identity and high-privilege activity.

Defensive scope: this page covers version confirmation, upgrade targets, account review, and log review. It does not include attack requests or bypass steps.

What to patch

CVEAreaWho should careFixed versions
CVE-2026-7250API parsingInternet-facing GitLab CE/EE18.10.8, 18.11.5, 19.0.2
CVE-2026-6552Group SAML identity managementGitLab EE with SAML groups18.10.8, 18.11.5, 19.0.2
CVE-2026-10087Analytics DashboardGitLab EE with developer users18.10.8, 18.11.5, 19.0.2
CVE-2026-8589Group setting fieldsGitLab EE groups with delegated admins18.10.8, 18.11.5, 19.0.2

Version and exposure checks

sudo gitlab-rake gitlab:env:info
sudo gitlab-ctl status
sudo gitlab-ctl tail gitlab-rails | grep -Ei "api|saml|analytics|group"

If your instance is below the fixed line, schedule the patch window before changing configuration. For internet-facing GitLab, check API error spikes and request volume around the disclosure window.

Post-patch review

  • Review group Owner activity, SAML identity changes, and membership changes.
  • Check whether unexpected email addresses were added to high-value accounts.
  • Review Analytics Dashboard edits and developer-role activity in sensitive projects.
  • Confirm backups completed before upgrade and background migrations are healthy after upgrade.

Ping7 repair path

Ping7 can review version state, upgrade readiness, SAML group exposure, high-privilege account changes, and suspicious GitLab logs. Use CVE Repair if your GitLab instance is public or manages production deployment secrets.

References