Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.5 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to cause denial of service by sending specially crafted JSON payloads due to insufficient input validation.
Published: 2026-05-14
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GitLab contains an input validation weakness that allows an unauthenticated user to submit specially crafted JSON payloads. The vulnerability can exhaust server resources and cause a denial of service, interrupting GitLab’s availability. The flaw is identified as CWE-770, "Use of Memory without Limits or Throttling."

Affected Systems

The affected product is GitLab Community and Enterprise Editions. Versions from 18.5 up to but not including 18.9.7, from 18.10 up to but not including 18.10.6, and from 18.11 up to but not including 18.11.3 are vulnerable. Upgrading to 18.9.7, 18.10.6, 18.11.3 or later resolves the issue.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. No EPSS value is available and the vulnerability is not listed in the CISA KEV catalog. The attack vector is likely an unauthenticated network actor sending crafted JSON to public endpoints, making it easy to exploit without special credentials.

Generated by OpenCVE AI on May 14, 2026 at 07:22 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.9.7, 18.10.6, 18.11.3 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab to version 18.9.7, 18.10.6, 18.11.3, or a later release that contains the fix.
  • If a version upgrade cannot be performed immediately, apply network filtering or rate‑limiting to the GitLab API endpoints that accept JSON to reduce the opportunity for automated abuse.
  • Monitor incident and audit logs for repeated malformed JSON payloads to detect ongoing attempts to trigger the denial of service.

Generated by OpenCVE AI on May 14, 2026 at 07:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 16 May 2026 03:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Thu, 14 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 06:00:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.5 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to cause denial of service by sending specially crafted JSON payloads due to insufficient input validation.
Title Allocation of Resources Without Limits or Throttling in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-770
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-05-14T13:03:02.406Z

Reserved: 2025-12-18T05:04:02.069Z

Link: CVE-2025-14870

cve-icon Vulnrichment

Updated: 2026-05-14T13:02:52.386Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-14T06:16:20.887

Modified: 2026-05-16T03:38:00.237

Link: CVE-2025-14870

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T09:00:11Z

Weaknesses