Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.0 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an unauthenticated user to cause denial of service by sending repeated GraphQL queries.
Published: 2026-04-08
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

GitLab has a vulnerability in its GraphQL interface that allows an unauthenticated user to trigger a denial of service by sending repeated queries. The flaw arises from improper validation of the quantity specified in input. The impact is that an attacker could exhaust server resources and degrade availability for all users. This issue is identified as CWE‑1284.

Affected Systems

The affected product is GitLab Community Edition and Enterprise Edition. All releases from version 13.0 up to but not including 18.8.9, from 18.9.0 up to but not including 18.9.5, and from 18.10.0 up to but not including 18.10.3 are vulnerable. These include both the community and enterprise builds of GitLab.

Risk and Exploitability

The CVSS score is 7.5, indicating high severity. EPSS is less than 1%, suggesting low current exploitation probability, and it is not listed in the CISA KEV catalog. The vulnerability can be exploited by any remote user with network access to the GitLab instance, as authentication is not required. By repeatedly querying the GraphQL endpoint, an attacker can consume CPU and memory, leading to service interruption.

Generated by OpenCVE AI on April 14, 2026 at 20:22 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.8.9, 18.9.5, 18.10.3 or above.

OpenCVE Recommended Actions

  • Upgrade to GitLab 18.8.9, 18.9.5, 18.10.3 or newer.

Generated by OpenCVE AI on April 14, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Thu, 09 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.0 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an unauthenticated user to cause denial of service by sending repeated GraphQL queries.
Title Improper Validation of Specified Quantity in Input in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-1284
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-04-09T13:03:53.739Z

Reserved: 2025-11-03T21:04:44.240Z

Link: CVE-2025-12664

cve-icon Vulnrichment

Updated: 2026-04-09T13:03:50.824Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T23:16:56.200

Modified: 2026-04-14T17:04:59.650

Link: CVE-2025-12664

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:00:07Z

Weaknesses