18.10 before 18.11.6, 19.0 before 19.0.3, 19.1 before 19.1.1
GitLab patch check
GitLab 19.1.1 June 2026 CVE batch self-check
GitLab's June 25, 2026 patch release covers three high-severity CVEs across CE/EE branches. Start with the deployed branch, then review exposure, project activity, user sessions, and sensitive output paths before closing the maintenance ticket.
Covered CVEs
19.1 before 19.1.1
16.4 before 18.11.6, 19.0 before 19.0.3, 19.1 before 19.1.1
Safe self-check
- Confirm the running GitLab version and edition on every node, including Geo, staging, and runner-adjacent hosts.
- Upgrade to 18.11.6, 19.0.3, 19.1.1, or the vendor-fixed package for your branch.
- Review public project pages, merge requests, issue activity, snippets, and user sessions around the disclosure window.
- For GitLab EE with Duo Workflows, review workflow output visibility and projects that may contain committed secrets.
- Keep upgrade logs, package versions, recent admin actions, and session review notes.
What looks suspicious
- Unexpected project or issue edits by accounts with no matching business reason.
- Unusual browser-session activity after a user visited a project page or merge request.
- Duo Workflow output that exposed data outside the intended user or project boundary.
- New tokens, deploy keys, runners, webhooks, or CI variables added near the exposure window.
When to request help
Request Ping7 repair if GitLab is internet-facing, stores secrets or customer code, or shows suspicious project/session activity after patching. Send the CVE IDs, branch, fixed version, first suspicious timestamp, and sanitized logs.
Request CVE repair