Description
GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to cause denial of service to the GitLab instance due to improper input validation in GraphQL queries.
Published: 2026-04-08
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

GitLab Enterprise Edition contains a flaw in GraphQL query handling that allows an authenticated user to submit improperly validated input. The vulnerability can cause the GitLab instance to enter a state that results in denial of service, preventing legitimate users from accessing the platform. The weakness is a form of insufficient input validation, identified as CWE‑1284, which undermines the availability of the service for all affected users.

Affected Systems

The issue affects all GitLab EE installations running versions from 18.2 up to 18.8.8, from 18.9 up to 18.9.4, and from 18.10 up to 18.10.2. No other vendors or products are listed as impacted.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% shows that the likelihood of exploitation is low. The vulnerability is not listed in CISA’s KEV catalog, implying it has not yet been widely reported as exploited. Because the attack requires authentication, the attacker must first obtain valid credentials to the GitLab instance. Successful exploitation will lead to service disruption, but does not compromise data confidentiality or integrity. The mitigation path is clear: upgrade to version 18.8.9, 18.9.5, 18.10.3 or any newer release.

Generated by OpenCVE AI on April 14, 2026 at 15:30 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.8.9, 18.9.5, 18.10.3 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab to a patched version (18.8.9, 18.9.5, 18.10.3, or newer).
  • Verify GitLab functionality and monitor logs for recovery confirmation.

Generated by OpenCVE AI on April 14, 2026 at 15:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Thu, 09 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to cause denial of service to the GitLab instance due to improper input validation in GraphQL queries.
Title Improper Validation of Specified Quantity in Input in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-1284
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-04-09T15:41:03.766Z

Reserved: 2026-01-16T22:33:15.858Z

Link: CVE-2026-1101

cve-icon Vulnrichment

Updated: 2026-04-09T15:40:58.797Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T23:16:57.667

Modified: 2026-04-14T14:05:39.397

Link: CVE-2026-1101

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:36:59Z

Weaknesses