Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a denial of service condition due to improper input validation when processing specially crafted JSON payloads in the protected branches API.
Published: 2026-03-11
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an improper input validation flaw in GitLab's protected branches API that allows an unauthenticated user to send specially crafted JSON payloads. If exploited, the attacker can cause a denial of service condition, preventing legitimate users from accessing the API or potentially exhausting system resources. This weakness aligns with CWE-1284, where validation errors lead to service disruption.

Affected Systems

Affected systems are GitLab Community Edition and Enterprise Edition instances running any version from 16.11 up to, but not including, 18.7.6; 18.8 versions prior to 18.8.6; and 18.9 versions prior to 18.9.2. All GitLab official products, including community and enterprise editions, are impacted, as indicated by the provided CPE strings.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. The EPSS score of less than 1% suggests that the exploit probability is currently low. The vulnerability is not listed in CISA's KEV catalog. Because the attack requires unauthenticated access and only leads to service interruption, the risk is primarily availability degradation rather than confidentiality or integrity compromise. Exploitation would involve sending a crafted JSON request to the protected branches API endpoint to trigger the denial of service.

Generated by OpenCVE AI on March 17, 2026 at 14:44 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.7.6, 18.8.6, 18.9.2 or above.

OpenCVE Recommended Actions

  • Upgrade to GitLab version 18.7.6, 18.8.6, 18.9.2 or later.

Generated by OpenCVE AI on March 17, 2026 at 14:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 12:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Wed, 11 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a denial of service condition due to improper input validation when processing specially crafted JSON payloads in the protected branches API.
Title Improper Validation of Specified Quantity in Input in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-1284
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-03-11T19:32:33.904Z

Reserved: 2025-12-11T06:33:37.961Z

Link: CVE-2025-14513

cve-icon Vulnrichment

Updated: 2026-03-11T19:32:25.516Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T16:16:19.223

Modified: 2026-03-13T12:34:46.100

Link: CVE-2025-14513

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:30:45Z

Weaknesses