Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.7 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to cause a denial of service due to excessive resource consumption when handling certain CI-related inputs.
Published: 2026-03-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

GitLab versions from 13.7 up to 18.10.0 contain a flaw that allows an authenticated user to trigger excessive resource consumption during CI processing. The vulnerability originates from unbounded allocation of resources when handling specific CI inputs, which can exhaust memory or CPU and ultimately render the service unavailable. The weakness is identified as CWE‑770, Resource Exhaustion.

Affected Systems

All GitLab Community Edition and Enterprise Edition deployments from version 13.7 through 18.10.0 are affected. Users should ensure their installations are at least 18.8.7, 18.9.3, or 18.10.1 or newer to receive the remediation fix. No further granularity is listed beyond the major product line.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity; combined with an EPSS of less than 1 percent, the likelihood of exploitation in the wild is low. The vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread attacks. Exploitation requires authenticated access to the platform, so internal users with pipeline or job-create permissions pose the primary threat vector. Once exploited, the attacker can cause a denial of service that affects all users on the affected instance.

Generated by OpenCVE AI on March 26, 2026 at 19:25 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.8.7, 18.9.3, 18.10.1 or above.

OpenCVE Recommended Actions

  • Upgrade your GitLab installation to release 18.8.7, 18.9.3, 18.10.1 or any later version.

Generated by OpenCVE AI on March 26, 2026 at 19:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:18.10.0:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:18.10.0:*:*:*:enterprise:*:*:*

Wed, 25 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.7 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to cause a denial of service due to excessive resource consumption when handling certain CI-related inputs.
Title Allocation of Resources Without Limits or Throttling in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-770
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-03-25T17:03:54.631Z

Reserved: 2025-11-19T17:33:30.427Z

Link: CVE-2025-13436

cve-icon Vulnrichment

Updated: 2026-03-25T17:03:50.254Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T17:16:27.163

Modified: 2026-03-26T18:28:49.180

Link: CVE-2025-13436

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:30:19Z

Weaknesses