Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.3 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an unauthenticated user to create a denial of service condition by sending repeated malformed SSH authentication requests.
Published: 2026-01-22
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

GitLab versions before 18.6.4, 18.7.2, and 18.8.2 may allocate system resources without limits or throttling when processing malformed SSH authentication requests. An unauthenticated attacker can send repeated crafted packets that cause the GitLab server to consume excessive CPU, memory, or file‑descriptor resources, eventually impacting service availability. This flaw represents a resource‑exhaustion weakness (CWE‑770).

Affected Systems

Affected products are GitLab Community Edition and Enterprise Edition running any version prior to GitLab 18.6.4, any 18.7 version older than 18.7.2, or any 18.8 version older than 18.8.2. All builds from GitLab 12.3 onward are impacted until the specified patch levels are applied. The vulnerability is present in both the systems that expose SSH for repository access as well as in the internal services that handle SSH authentication.

Risk and Exploitability

The CVSS base score of 5.3 indicates moderate severity, and the EPSS score of less than 1 % reflects a very low probability of exploitation at present. GitLab does not list this issue in the CISA KEV catalog, and no public exploits are known. The likely attack vector is network‑based via SSH, whereby an unauthenticated user sends forged authentication requests directly to the GitLab server. Successful exploitation would result in denial of service, disrupting all users until the server is rebooted or resources are manually reclaimed.

Generated by OpenCVE AI on April 18, 2026 at 03:48 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.6.4, 18.7.2, 18.8.2 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab to version 18.6.4, 18.7.2, 18.8.2 or later as recommended by the vendor.
  • Configure SSH to rate‑limit authentication attempts or disable unauthenticated access where possible.
  • Monitor logs for repeated malformed SSH authentication attempts and block offending IP addresses to mitigate resource exhaustion during an attack.

Generated by OpenCVE AI on April 18, 2026 at 03:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 26 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Thu, 22 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 22 Jan 2026 13:45:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.3 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an unauthenticated user to create a denial of service condition by sending repeated malformed SSH authentication requests.
Title Allocation of Resources Without Limits or Throttling in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-770
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-01-22T15:29:45.284Z

Reserved: 2026-01-16T23:03:42.361Z

Link: CVE-2026-1102

cve-icon Vulnrichment

Updated: 2026-01-22T15:29:37.899Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-22T15:16:50.227

Modified: 2026-01-26T21:09:33.443

Link: CVE-2026-1102

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:00:08Z

Weaknesses