Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.3 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that under certain conditions could have allowed an authenticated user to cause a denial of service due to improper handling of webhook response data.
Published: 2026-03-11
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

GitLab has an issue where resources are allocated without limits or throttling, leading to a denial of service when authenticated users trigger certain webhook response handling paths. This flaw, identified as CWE-770, allows a single user to compromise the availability of the GitLab instance by exhausting system resources during webhook processing.

Affected Systems

Affected vendors and products include GitLab:GitLab. All versions from 9.3 up to, but not including, 18.7.6, from 18.8 up to 18.8.6, and from 18.9 up to 18.9.2 are vulnerable.

Risk and Exploitability

The CVSS score is 6.5, indicating a moderate severity. The EPSS score is less than 1% and the vulnerability is not listed in the CISA KEV catalog. The attack can be carried out by an authenticated user who can trigger a webhook response that forces the application to allocate excessive resources. Exploitation requires that the attacker can influence the webhook content and the conditions under which the vulnerable code path is executed.

Generated by OpenCVE AI on March 18, 2026 at 14:48 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.7.6, 18.8.6, 18.9.2 or above.

OpenCVE Recommended Actions

  • Apply the vendor’s patch by upgrading to GitLab 18.7.6, 18.8.6, 18.9.2, or a newer release.

Generated by OpenCVE AI on March 18, 2026 at 14:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Wed, 11 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.3 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that under certain conditions could have allowed an authenticated user to cause a denial of service due to improper handling of webhook response data.
Title Allocation of Resources Without Limits or Throttling in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-770
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-03-11T19:36:36.682Z

Reserved: 2025-10-31T21:03:53.658Z

Link: CVE-2025-12576

cve-icon Vulnrichment

Updated: 2026-03-11T17:11:24.491Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T16:16:18.030

Modified: 2026-03-18T13:35:10.283

Link: CVE-2025-12576

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:30:41Z

Weaknesses