Description
GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to cause denial of service to the GitLab instance due to improper input validation in GraphQL queries.
Published: 2026-04-08
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

The vulnerability lies in insufficient validation of the quantity parameter within GraphQL queries in GitLab Enterprise Edition. An authenticated attacker can exploit this flaw by submitting a malformed quantity value that causes the GitLab application to consume excessive resources or hang, leading to a denial of service for all users. The weakness is classified as improper input validation (CWE‑1284).

Affected Systems

GitLab EE instances running any version from 18.2 up to, but not including, 18.8.9; 18.9 up to, but not including, 18.9.5; and 18.10 up to, but not including, 18.10.3 are affected. These versions were released before the 2026‑04‑08 patch release that includes the fix.

Risk and Exploitability

The CVSS base score of 6.5 indicates a medium severity issue. No EPSS score is currently available, and the vulnerability is not listed in the CISA KEV catalog. The attack requires that the attacker be authenticated within the GitLab system, and they must be able to send arbitrary GraphQL queries. Once conditions are met, exploitation can flood the GitLab backend or exhaust its processing resources, potentially bringing the instance to a halt. Because the vector is internal and requires authentication, the likelihood of widespread exploitation is moderate, but any compromised or overly privileged user could trigger the denial of service immediately.

Generated by OpenCVE AI on April 8, 2026 at 23:22 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.8.9, 18.9.5, 18.10.3 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab to the latest supported Enterprise Edition release (18.8.9, 18.9.5, 18.10.3, or newer).
  • If an upgrade is not immediately possible, restrict authenticated users from sending arbitrary GraphQL queries until a patch is applied.
  • Monitor GitLab for abnormal resource usage indicative of exploitation.

Generated by OpenCVE AI on April 8, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to cause denial of service to the GitLab instance due to improper input validation in GraphQL queries.
Title Improper Validation of Specified Quantity in Input in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-1284
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-04-08T22:26:07.834Z

Reserved: 2026-01-16T22:33:15.858Z

Link: CVE-2026-1101

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-08T23:16:57.667

Modified: 2026-04-08T23:16:57.667

Link: CVE-2026-1101

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:25:35Z

Weaknesses