Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.0 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an unauthenticated user to cause denial of service by sending repeated GraphQL queries.
Published: 2026-04-08
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The flaw lies in the way GitLab processes requests to its GraphQL API. The system accepts input specifying a quantity but does not adequately validate the value. When this quantity is used, it causes the server to perform operations that consume significant processing resources. Because no authentication is required to send these requests, an attacker can repeatedly send them, leading to a state in which the server cannot respond to legitimate traffic, effectively turning the service into a denial of service. The weakness is catalogued as CWE‑1284.

Affected Systems

This issue affects GitLab Community and Enterprise Editions. All releases version 13.0 through 18.8.8, 18.9.0 through 18.9.4, and 18.10.0 through 18.10.2 are susceptible. Versions 18.8.9, 18.9.5, 18.10.3, and later releases are not affected.

Risk and Exploitability

The CVSS base score for the vulnerability is 7.5, indicating high severity. No EPSS data is presently available, and the defect is not yet listed in the CISA KEV catalog. Attackers can target the vulnerable systems by sending unverified GraphQL queries over the network, so authenticated access is not necessary. Because the flaw allows repeated requests to overload the server, the exploitation condition is readily met for reachable installations, making the risk significant for organizations still running the affected versions.

Generated by OpenCVE AI on April 8, 2026 at 23:51 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.8.9, 18.9.5, 18.10.3 or above.

OpenCVE Recommended Actions

  • Upgrade to GitLab 18.8.9, 18.9.5, 18.10.3 or later, which contain the fix.
  • Restrict unauthenticated access to the GraphQL endpoint by applying firewall or gateway rules.
  • Configure rate limiting on GraphQL traffic to reduce the volume of requests a single host can send.
  • Monitor system logs for repeated GraphQL queries and investigate anomalous patterns.
  • Regularly check GitLab’s security advisories for updates.

Generated by OpenCVE AI on April 8, 2026 at 23:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.0 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an unauthenticated user to cause denial of service by sending repeated GraphQL queries.
Title Improper Validation of Specified Quantity in Input in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-1284
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-04-08T22:26:42.854Z

Reserved: 2025-11-03T21:04:44.240Z

Link: CVE-2025-12664

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-08T23:16:56.200

Modified: 2026-04-08T23:16:56.200

Link: CVE-2025-12664

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:25:33Z

Weaknesses