Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.10 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an unauthenticated user to cause denial of service due to improper input validation of JSON payloads.
Published: 2026-04-08
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Now
AI Analysis

Impact

GitLab has a flaw where optional JSON payloads are not properly validated. An unauthenticated user can send a crafted JSON request that forces the server into an infinite or long loop, exhausting resources and rendering the instance unavailable. The failure stems from improper handling of the quantity field in input, fitting the definition of an input validation weakness (CWE-1284). The result is a denial of service that affects all users of the instance.

Affected Systems

All GitLab Community Edition and Enterprise Edition instances from version 12.10 up to 18.8.8, from 18.9 up to 18.9.4, and from 18.10 up to 18.10.2 are vulnerable. Any GitLab server that has not applied the 18.8.9, 18.9.5, 18.10.3, or later patch is at risk.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity. The EPSS score of less than 1% suggests low current exploitation probability, and the vulnerability is not listed in CISA’s KEV catalog. Nevertheless, because denial of service can be achieved by unauthenticated users over the network, an attacker could easily trigger a DoS once the server is reachable. The attack vector is inferred to be an unauthenticated HTTP request to the API that accepts JSON input.

Generated by OpenCVE AI on April 14, 2026 at 19:37 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.8.9, 18.9.5, 18.10.3 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab to version 18.8.9 or newer; if you are on 18.9, use 18.9.5; if on 18.10, use 18.10.3 or later.
  • If an immediate upgrade is not possible, isolate the GitLab instance from broad network exposure until the patch can be applied.

Generated by OpenCVE AI on April 14, 2026 at 19:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Thu, 09 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.10 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an unauthenticated user to cause denial of service due to improper input validation of JSON payloads.
Title Improper Validation of Specified Quantity in Input in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-1284
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-04-09T15:09:51.969Z

Reserved: 2026-01-16T21:04:09.219Z

Link: CVE-2026-1092

cve-icon Vulnrichment

Updated: 2026-04-09T15:09:47.911Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T23:16:57.510

Modified: 2026-04-14T17:38:07.330

Link: CVE-2026-1092

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:00:07Z

Weaknesses