Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to cause a denial of service due to excessive resource consumption when processing certain webhook configuration inputs.
Published: 2026-03-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service from resource exhaustion
Action: Immediate Patch
AI Analysis

Impact

GitLab confirmed a flaw that allows an authenticated user to trigger a denial of service by providing specially crafted webhook configuration inputs. The issue arises from improper validation of specified quantities in the input, causing the system to consume excessive resources when processing the request. The resulting denial of service could impact availability for the entire instance, potentially disrupting user access and service continuity.

Affected Systems

The vulnerability affects GitLab Community Edition and GitLab Enterprise Edition in all releases from 16.10 up to, but not including, 18.8.7; from 18.9 up to, but not including, 18.9.3; and from 18.10 up to, but not including, 18.10.1. Users running any of these versions are considered impacted.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium severity risk, while the EPSS score of less than 1% suggests a low likelihood of exploitation at this time. The vulnerability is not listed in CISA's KEV catalog. An attacker must first authenticate to the GitLab instance; once authenticated, they can submit a malicious webhook configuration that will drive the resource consumption leading to a denial of service. Mitigation through upgrading is the preferred solution.

Generated by OpenCVE AI on March 26, 2026 at 19:25 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.8.7, 18.9.3, 18.10.1 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab to version 18.8.7 or later, 18.9.3 or later, or 18.10.1 or later.

Generated by OpenCVE AI on March 26, 2026 at 19:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:18.10.0:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:18.10.0:*:*:*:enterprise:*:*:*

Wed, 25 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to cause a denial of service due to excessive resource consumption when processing certain webhook configuration inputs.
Title Improper Validation of Specified Quantity in Input in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-1284
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-03-25T17:02:57.718Z

Reserved: 2025-11-12T16:33:36.271Z

Link: CVE-2025-13078

cve-icon Vulnrichment

Updated: 2026-03-25T17:02:53.960Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T17:16:26.963

Modified: 2026-03-26T18:29:26.090

Link: CVE-2025-13078

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:30:18Z

Weaknesses