When does GitLab reach end-of-life?

The latest supported GitLab release is 19.0.2. After end-of-life a release no longer receives security patches.

GitLab ↗

GitLab · Infrastructure

100/100 Healthy

Summary iPlain-English security verdict for GitLab, generated from its current health score, actively-exploited vulnerabilities, and latest supported version.

GitLab currently scores 100/100 — healthy. 4 actively-exploited vulnerabilities (CISA KEV) affect older releases (e.g. CVE-2021-22205) — staying on the latest supported version keeps you clear of them. The latest supported release is 19.0.2. It's on the latest patch with no significant known issues — keep it current.

Disclosure trend iNew CVEs published for GitLab each year (NVD). A higher bar means more disclosures that year — more scrutiny, not necessarily less safe.

'19

'20

'21

'22

'23

'24

'25

'26

⚠ 1 of its known vulnerability is linked to ransomware campaigns (CISA KEV).

Patch priority — what to act on iThe issues to fix first — actively exploited (CISA KEV) first, then by exploitation probability (EPSS), then severity. Each row's "→ fixed in" is the earliest version that patches it; "see advisory" means no fixed version is published.

Most urgent first — actively exploited, then likeliest to be exploited.

CVE-2021-22205 CRITICAL ● exploited ⚠ ransomware Code injection EPSS 94% → fixed in 13.10.3 CVE-2023-7028 CRITICAL ● exploited CWE-640 EPSS 93% → fixed in 16.7.2 CVE-2021-22175 MEDIUM ● exploited Server-side request forgery (SSRF) EPSS 80% → fixed in 13.8.4 CVE-2021-39935 MEDIUM ● exploited Server-side request forgery (SSRF) EPSS 65% → fixed in 14.5.2 CVE-2021-22214 MEDIUM Server-side request forgery (SSRF) EPSS 94% → fixed in 13.12.2 CVE-2023-2825 CRITICAL Path traversal EPSS 92% → see advisory CVE-2021-4191 MEDIUM EPSS 91% → fixed in 14.8.2 CVE-2022-2992 CRITICAL Injection EPSS 91% → fixed in 15.3.2 CVE-2022-1162 CRITICAL Hard-coded credentials EPSS 88% → fixed in 14.9.2 CVE-2022-2185 CRITICAL OS command injection EPSS 87% → fixed in 15.0.4 CVE-2020-26413 MEDIUM Information disclosure EPSS 82% → fixed in 13.6.2 CVE-2023-2442 HIGH Cross-site scripting (XSS) EPSS 82% → fixed in 16.0.2

Versions & lifecycle iWhen each release line stops receiving security patches (end-of-life). After EOL there are no more fixes — plan upgrades before these dates.

How long each GitLab release line is supported — and when it sunsets.

19.0 latest 19.0.2 Supported until 2026-08-20

18.11 latest 18.11.5 Supported until 2026-07-16

18.10 latest 18.10.8 Supported until 2026-06-18

18.9 latest 18.9.8 End of life ended 2026-05-21

18.8 latest 18.8.10 End of life ended 2026-04-16

18.7 latest 18.7.7 End of life ended 2026-03-19

18.6 latest 18.6.8 End of life ended 2026-02-19

18.5 latest 18.5.7 End of life ended 2026-01-15

18.4 latest 18.4.6 End of life ended 2025-12-18

18.3 latest 18.3.6 End of life ended 2025-11-20

See all upcoming end-of-life dates →