DevOps Pulse

GitLab's critical AI Gateway RCE vulnerability CVE-2026-1868

with CVSS 9.9 allows authenticated attackers to execute arbitrary commands, while Atlassian patched 12 critical vulnerabilities across its platform including Apache Tomcat RCE flaws. Veeam completed a $1.725 billion acquisition of Securiti AI, creating significant competitive pressure with their unified Data Command Center approach against Veeam's security+backup convergence strategy. Supply chain attacks surged with Trivy vulnerability scanner compromised by TeamPCP threat actors, spreading credential stealers through GitHub Actions and npm packages. The PM team should prioritize GitLab patch deployment and accelerate the Securiti AI competitive response.

Signals
29
Sections
5/5
Threats
8
Fresh
12
Updated
83d ago
Show

DevOps Platform Updates

scanned 83d ago6

Latest announcements and changes from GitHub, GitLab, Azure DevOps, Bitbucket, and Atlassian.

GitLab Critical AI Gateway RCE Vulnerability CVE-2026-1868

GitLab patched CVE-2026-1868, a critical CVSS 9.9 vulnerability in self-hosted AI Gateway affecting Duo Workflow Service. The flaw allows authenticated attackers to execute arbitrary commands via template injection in flow definitions. Fixed in versions 18.6.2, 18.7.1, and 18.8.1.

gitlabPenligent AI·10 FebRecent

GitLab Duo Agent Platform Reaches GA with Self-Hosted Models

GitLab 18.9 released with Duo Agent Platform supporting self-hosted AI models for cloud licenses. Features include agentic SAST vulnerability resolution that autonomously analyzes findings and creates merge requests with fixes. Enhanced security dashboard includes vulnerabilities by age chart.

gitlabGitLab Blog·19 Feb

Azure DevOps Remote MCP Server Launches in Microsoft Foundry

Microsoft released Azure DevOps Remote MCP Server in public preview, now available in Microsoft Foundry. Provides AI agents direct access to DevOps data including work items, pull requests, pipelines, and repos through hosted endpoint without local installation required.

azure-devopsDevOps.com·23 MarRecent

Atlassian Fixes Critical Confluence and Jira Vulnerabilities

Atlassian patched CVE-2025-64756, a high-severity OS command injection vulnerability in Confluence Data Center and Server, plus 12 critical vulnerabilities across Bamboo, Bitbucket, Confluence, Crowd, and Jira. Includes Apache Tomcat RCE flaws with CVSS scores up to 9.8.

confluenceUC Berkeley Information Security Office·18 MarRecent

Bitbucket OAuth Security Changes and App Password Deprecation

Bitbucket implementing major OAuth security changes effective May 2026: removing refresh tokens from client credentials flow, restricting personal workspace OAuth access, and deprecating app password integrations starting June 9, 2026. Migration to API tokens required.

bitbucketAtlassian Developer·5 Mar

GitLab Agentic False Positive Detection Now Generally Available

GitLab 18.10 makes Duo Agent Platform available to free tier users via GitLab Credits. Features agentic code reviews at $0.25 per review and GA release of agentic false positive detection for security scanning to reduce alert fatigue and accelerate remediation.

gitlabGitLab Press Release·19 MarRecent