Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.6 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed an authenticated user to cause denial of service under certain conditions by exhausting server resources by making crafted requests to a discussions endpoint.
Published: 2026-04-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

The flaw allows an authenticated user to send specially crafted requests to GitLab’s discussions endpoint, causing the server to allocate resources without limits or throttling. This can deplete memory, CPU, or other critical resources, leading to a denial of service. The vulnerability is identified as CWE-770, reflecting a lack of resource management controls.

Affected Systems

GitLab Community Edition and Enterprise Edition are affected. All versions from 10.6 up to 18.9.5, 18.10 up to 18.10.3, and 18.11 up to 18.11.0 can be impacted. The vendor’s advisory lists GitLab as the sole affected product.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. EPSS data is not available, so the likelihood of exploitation presently cannot be quantified, and the vulnerability is not listed in CISA’s KEV catalog. The attack requires authenticated access to the application and crafted HTTP requests directed at the discussions endpoint; thus, it is a post-authentication, internal‑side vulnerability that can surface if an account with sufficient privileges can be used.

Generated by OpenCVE AI on April 22, 2026 at 18:19 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.9.6, 18.10.4, 18.11.1 or above.

OpenCVE Recommended Actions

  • Upgrade the GitLab cluster to version 18.9.6, 18.10.4, 18.11.1 or later as recommended by the vendor.
  • If an immediate upgrade is not feasible, apply temporary rate limiting or request throttling on the discussions endpoint to restrict resource consumption per user.
  • Continuously monitor host resource usage for abnormal spikes and validate that the rate limiting remains effective until the patch is applied.

Generated by OpenCVE AI on April 22, 2026 at 18:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:18.11.0:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:18.11.0:*:*:*:enterprise:*:*:*

Wed, 22 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.6 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed an authenticated user to cause denial of service under certain conditions by exhausting server resources by making crafted requests to a discussions endpoint.
Title Allocation of Resources Without Limits or Throttling in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-770
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-04-22T17:25:02.340Z

Reserved: 2025-01-03T00:02:41.691Z

Link: CVE-2025-0186

cve-icon Vulnrichment

Updated: 2026-04-22T17:24:44.356Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T17:16:32.950

Modified: 2026-04-23T20:51:15.290

Link: CVE-2025-0186

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T20:15:20Z

Weaknesses