Critical (9.9)

CVE-2026-1868

GitLab has remediated a vulnerability in the Duo Workflow Service component of GitLab AI Gateway affecting all versions of the AI Gateway from 18.1.6, 18.2.6, 18.3.1 to 18.6.1, 18.7.0, and 18.8.0 in w...

CVSS Score 9.9

Overview

A critical security vulnerability has been identified and patched in GitLab’s AI Gateway, a component that manages interactions with various AI models. The flaw existed within the Duo Workflow Service and affected multiple recent versions of the software.

Vulnerability Explained Simply

The AI Gateway allows administrators to define automated workflows (called “Flows”) for processing data. This vulnerability was in the mechanism that interprets these workflow definitions. An attacker with the ability to create or modify a malicious workflow could inject crafted instructions. The system would then incorrectly process these instructions, expanding them in an unsafe way. This improper handling is similar to a system blindly following a dangerous recipe that an attacker provided, leading to severe system instability or control.

Potential Impact

The consequences of this vulnerability are severe, warranting its CRITICAL 9.9 CVSS score. A successful exploit could lead to:

  • Denial of Service (DoS): An attacker could crash the AI Gateway service, making it unavailable for all users and disrupting AI-powered features.
  • Remote Code Execution (RCE): This is the most severe outcome. An attacker could potentially run arbitrary code on the server hosting the AI Gateway. This would grant them the same level of access as the service account, potentially allowing them to steal sensitive data, manipulate AI interactions, or move laterally to other parts of the network.

Remediation and Mitigation Steps

Immediate action is required to secure affected deployments.

Primary Remediation: Patch Immediately The issue has been fixed in the following GitLab AI Gateway versions. You must upgrade to one of these patched releases:

  • 18.6.2
  • 18.7.1
  • 18.8.1

If you are running any version from 18.1.6 up to 18.6.1, 18.7.0, or 18.8.0, you are vulnerable and should plan your upgrade immediately. Consult the official GitLab upgrade documentation for your deployment method (Omnibus, Helm Chart, etc.).

Temporary Mitigation (If Patching is Delayed) If an immediate upgrade is not possible, apply strict access controls:

  1. Restrict Flow Creation: Immediately review and limit administrative privileges. Ensure that only essential, trusted administrators have permissions to create or modify Duo Agent Platform Flow definitions within the AI Gateway.
  2. Network Segmentation: Ensure the AI Gateway server is placed in a appropriately segmented network zone to limit the potential impact of a compromise.
  3. Monitor for Anomalies: Increase monitoring of the AI Gateway service for unexpected restarts, high resource usage, or unusual process activity, which could indicate an attack attempt.

Verification After patching, verify that your AI Gateway version is 18.6.2, 18.7.1, or 18.8.1. Also, audit any existing Flow definitions for anything created or modified by untrusted sources during the vulnerable period.