PT-2026-6978 · Gitlab · Gitlab Ai Gateway
Joern Schneeweisz
·
Published
2026-02-06
·
Updated
2026-05-21
·
CVE-2026-1868
CVSS v3.1
9.9
Critical
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
GitLab AI Gateway versions 18.1.6 through 18.8.0
Description
The GitLab AI Gateway’s Duo Workflow Service component contains a flaw related to improper code generation. This issue allows authenticated attackers to cause a Denial of Service or achieve Remote Code Execution (RCE) by submitting specially crafted requests. The vulnerability stems from insecure template expansion of user-supplied data within crafted Duo Agent Platform Flow definitions.
Recommendations
Upgrade to GitLab AI Gateway version 18.6.2 or later.
Upgrade to GitLab AI Gateway version 18.7.1 or later.
Upgrade to GitLab AI Gateway version 18.8.1 or later.
Fix
DoS
RCE
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Gitlab Ai Gateway