Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.2 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed an authenticated user to cause denial of service due to insufficient resource allocation limits when retrieving notes under certain conditions.
Published: 2026-04-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

An authenticated user may trigger a denial of service by exploiting a lack of throttling when the system retrieves notes under certain conditions. The flaw allows the attacker to exhaust processing resources or event queues, potentially halting normal system functionality for all users who depend on that feature.

Affected Systems

GitLab Community Edition and Enterprise Edition, every release from version 9.2 up to and including 18.9.5, 18.10.3, and 18.11.0 are affected. The issue does not apply to newer releases that implement tightened resource limits.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. EPSS data is not available, and the vulnerability is not currently listed in CISA’s KEV catalog. Exploitation requires an authenticated session and specifically targets the note‑retrieval pathway; attackers would need to harness legitimate access to trigger the resource exhaustion.

Generated by OpenCVE AI on April 27, 2026 at 08:48 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.9.6, 18.10.4, 18.11.1 or above.

OpenCVE Recommended Actions

  • Upgrade to GitLab 18.9.6, 18.10.4, 18.11.1 or later.
  • If an immediate upgrade is not possible, apply configuration limits on the processes that retrieve notes to cap CPU or memory usage.
  • Continuously monitor system resource consumption and set alerts for abnormal spikes that could indicate exploitation attempts.

Generated by OpenCVE AI on April 27, 2026 at 08:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:18.11.0:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:18.11.0:*:*:*:enterprise:*:*:*

Wed, 22 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.2 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed an authenticated user to cause denial of service due to insufficient resource allocation limits when retrieving notes under certain conditions.
Title Allocation of Resources Without Limits or Throttling in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-770
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-04-22T17:32:08.602Z

Reserved: 2025-06-11T20:31:44.547Z

Link: CVE-2025-6016

cve-icon Vulnrichment

Updated: 2026-04-22T17:30:51.037Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T17:16:33.410

Modified: 2026-04-23T20:49:42.693

Link: CVE-2025-6016

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T18:45:11Z

Weaknesses