Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.4 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed an authenticated user to cause denial of service by overwhelming system resources under certain conditions due to insufficient resource allocation limits in the GraphQL API.
Published: 2026-04-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via resource exhaustion
Action: Immediate Patch
AI Analysis

Impact

GitLab CE and Enterprise Edition contain a flaw that allows an authenticated user to send specially crafted GraphQL queries that consume excessive system resources, potentially leading to a denial of service. The weakness is identified as CWE-770, which highlights the lack of resource allocation limits.

Affected Systems

All GitLab installations from version 12.4 through 18.9.5, 18.10.x before 18.10.4, and 18.11.x before 18.11.1 are vulnerable. The vendor recommends upgrading to 18.9.6, 18.10.4, 18.11.1 or any later release to mitigate the issue.

Risk and Exploitability

With a CVSS score of 6.5, the vulnerability poses a moderate risk. The EPSS score is not available and the vulnerability has not been listed in the CISA KEV catalog. Exploitation requires an authenticated user with access to the GraphQL API, and the attacker can trigger resource exhaustion that may bring the GitLab instance or hosting server offline.

Generated by OpenCVE AI on April 22, 2026 at 18:20 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.9.6, 18.10.4, 18.11.1 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab to version 18.9.6, 18.10.4, 18.11.1 or any later release as stated by the vendor.
  • Restrict the use of the GraphQL API to trusted users or apply server‑side throttling to limit request rates while a patch is applied.
  • Monitor system and application logs for sudden increases in GraphQL activity that could indicate an attempted resource exhaustion attack.

Generated by OpenCVE AI on April 22, 2026 at 18:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:18.11.0:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:18.11.0:*:*:*:enterprise:*:*:*

Wed, 22 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.4 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed an authenticated user to cause denial of service by overwhelming system resources under certain conditions due to insufficient resource allocation limits in the GraphQL API.
Title Allocation of Resources Without Limits or Throttling in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-770
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-04-22T17:28:16.879Z

Reserved: 2025-04-24T13:02:02.717Z

Link: CVE-2025-3922

cve-icon Vulnrichment

Updated: 2026-04-22T17:27:58.570Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T17:16:33.123

Modified: 2026-04-23T20:50:26.150

Link: CVE-2025-3922

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T19:15:24Z

Weaknesses