Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.4 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an unauthenticated user to cause denial of service through memory or CPU exhaustion by bypassing JSON validation middleware limits.
Published: 2026-02-11
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows any unauthenticated user to trigger a denial of service by sending crafted JSON requests that bypass the framework’s validation limits, leading to memory or CPU exhaustion. The flaw is defined as a boundary‑checking failure for untrusted input. It does not provide direct code execution but can disrupt service availability for the entire instance.

Affected Systems

GitLab CE and EE instances running any version prior to 18.6.6, 18.7.4, or 18.8.4. Both Community and Enterprise editions are affected, as the issue resides in the core middleware shared by all builds.

Risk and Exploitability

The vulnerability scores 7.5 on CVSS, indicating a high‑severity impact. Although the EPSS score is less than 1 %, suggesting a low probability of active exploitation at the time of analysis, the lack of a KEV listing does not mitigate the risk of a viable attack vector. An attacker can send malicious JSON payloads without authentication, which the system would process and potentially exhaust resources, resulting in a service outage.

Generated by OpenCVE AI on April 17, 2026 at 20:22 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.6.6, 18.7.4, 18.8.4 or above.

OpenCVE Recommended Actions

  • Upgrade the GitLab instance to at least version 18.6.6, 18.7.4, 18.8.4, or newer.
  • If an upgrade is not yet possible, restrict unauthenticated access to the API endpoints that accept JSON payloads, limiting the potential for resource exhaustion.
  • Implement application‑level rate limiting or additional input validation to throttle or reject oversized or malformed JSON requests.

Generated by OpenCVE AI on April 17, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Wed, 11 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.4 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an unauthenticated user to cause denial of service through memory or CPU exhaustion by bypassing JSON validation middleware limits.
Title Interpretation Conflict in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-436
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-02-11T15:19:41.414Z

Reserved: 2026-01-14T19:33:49.737Z

Link: CVE-2026-0958

cve-icon Vulnrichment

Updated: 2026-02-11T15:19:38.718Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-11T12:16:03.970

Modified: 2026-02-13T15:33:52.310

Link: CVE-2026-0958

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:30:15Z

Weaknesses