Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.10 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an unauthenticated user to cause denial of service due to improper input validation of JSON payloads.
Published: 2026-04-08
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

An unauthenticated user can trigger a denial of service on GitLab by sending a specially crafted JSON payload that bypasses input validation. The flaw stems from improper handling of the specified quantity field in the payload, allowing the server to crash or exhaust resources. The vulnerability is classified under CWE-1284 and could lead to loss of availability for the affected instance.

Affected Systems

All GitLab Community Edition and Enterprise Edition installations from version 12.10 up to, but not including, 18.8.9, 18.9 up to, but not including, 18.9.5, and 18.10 up to, but not including, 18.10.3 are impacted. Newer releases (18.8.9, 18.9.5, 18.10.3 and above) have the fix applied.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. The metadata does not contain an EPSS value, so the precise exploitation probability is unknown, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector, inferred from the description, is that an attacker can supply arbitrary JSON data over an unauthenticated HTTP request to the vulnerable endpoint. No special privileges are required, and the impact is limited to denial of service rather than data compromise. Organizations running vulnerable GitLab instances should consider patching promptly.

Generated by OpenCVE AI on April 8, 2026 at 23:21 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.8.9, 18.9.5, 18.10.3 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab to version 18.8.9, 18.9.5, 18.10.3 or newer.
  • If an immediate upgrade is not possible, limit unauthenticated access to GitLab’s API endpoints or apply rate‑limiting to reduce potential abuse.
  • Monitor system logs for repeated malformed JSON requests and investigate suspected denial‑of‑service attempts.

Generated by OpenCVE AI on April 8, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.10 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an unauthenticated user to cause denial of service due to improper input validation of JSON payloads.
Title Improper Validation of Specified Quantity in Input in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-1284
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-04-08T22:26:12.837Z

Reserved: 2026-01-16T21:04:09.219Z

Link: CVE-2026-1092

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-08T23:16:57.510

Modified: 2026-04-08T23:16:57.510

Link: CVE-2026-1092

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:25:34Z

Weaknesses