DevOps Platform Updates
scanned 83d ago6Latest announcements and changes from GitHub, GitLab, Azure DevOps, Bitbucket, and Atlassian.
GitLab Critical AI Gateway RCE Vulnerability CVE-2026-1868
GitLab patched CVE-2026-1868, a critical CVSS 9.9 vulnerability in self-hosted AI Gateway affecting Duo Workflow Service. The flaw allows authenticated attackers to execute arbitrary commands via template injection in flow definitions. Fixed in versions 18.6.2, 18.7.1, and 18.8.1.
GitLab Duo Agent Platform Reaches GA with Self-Hosted Models
GitLab 18.9 released with Duo Agent Platform supporting self-hosted AI models for cloud licenses. Features include agentic SAST vulnerability resolution that autonomously analyzes findings and creates merge requests with fixes. Enhanced security dashboard includes vulnerabilities by age chart.
Azure DevOps Remote MCP Server Launches in Microsoft Foundry
Microsoft released Azure DevOps Remote MCP Server in public preview, now available in Microsoft Foundry. Provides AI agents direct access to DevOps data including work items, pull requests, pipelines, and repos through hosted endpoint without local installation required.
Atlassian Fixes Critical Confluence and Jira Vulnerabilities
Atlassian patched CVE-2025-64756, a high-severity OS command injection vulnerability in Confluence Data Center and Server, plus 12 critical vulnerabilities across Bamboo, Bitbucket, Confluence, Crowd, and Jira. Includes Apache Tomcat RCE flaws with CVSS scores up to 9.8.
Bitbucket OAuth Security Changes and App Password Deprecation
Bitbucket implementing major OAuth security changes effective May 2026: removing refresh tokens from client credentials flow, restricting personal workspace OAuth access, and deprecating app password integrations starting June 9, 2026. Migration to API tokens required.
GitLab Agentic False Positive Detection Now Generally Available
GitLab 18.10 makes Duo Agent Platform available to free tier users via GitLab Credits. Features agentic code reviews at $0.25 per review and GA release of agentic false positive detection for security scanning to reduce alert fatigue and accelerate remediation.