Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a denial of service by sending specially crafted GraphQL requests due to uncontrolled recursion under certain circumstances.
Published: 2026-03-11
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

The vulnerability is an uncontrolled recursion in GitLab’s GraphQL processing that can be triggered by an unauthenticated user. By sending specially crafted GraphQL requests, an attacker can cause excessive CPU and memory usage, potentially exhausting system resources and resulting in service interruption. This issue, classified as CWE-674, is a denial of service vulnerability.

Affected Systems

The issue affects GitLab Community Edition and Enterprise Edition installations running any 18.9 release older than 18.9.2. All affected deployments are covered under the GitLab:GitLab vendor product line as defined in the CPE list.

Risk and Exploitability

The CVSS base score of 7.5 classifies this as a high severity vulnerability. The EPSS score is reported as less than 1%, indicating a low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. Attackers can trigger the denial of service remotely via unauthenticated GraphQL requests as described in the vendor’s advisory.

Generated by OpenCVE AI on March 17, 2026 at 15:28 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.7.6, 18.8.6, 18.9.2 or above.

OpenCVE Recommended Actions

  • Upgrade to GitLab version 18.7.6, 18.8.6, 18.9.2 or later.

Generated by OpenCVE AI on March 17, 2026 at 15:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 12:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Wed, 11 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a denial of service by sending specially crafted GraphQL requests due to uncontrolled recursion under certain circumstances.
Title Uncontrolled Recursion in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-674
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-03-11T19:39:56.098Z

Reserved: 2026-01-16T20:04:12.779Z

Link: CVE-2026-1069

cve-icon Vulnrichment

Updated: 2026-03-11T19:39:50.912Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T16:16:22.170

Modified: 2026-03-13T12:35:38.543

Link: CVE-2026-1069

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:30:46Z

Weaknesses