Description
GitLab has remediated an issue in GitLab EE affecting all versions from 11.9 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to cause denial of service by uploading a specially crafted file due to improper validation.
Published: 2026-05-14
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises from deserialization of untrusted data that allows an unauthenticated user to upload a specially crafted file causing a denial of service in GitLab Enterprise Edition. The flaw stems from inadequate validation of uploaded content, which can exhaust resources or corrupt the state of the application, ultimately interrupting availability. The weakness is classified under CWE‑502, indicating an insecure deserialization flaw.

Affected Systems

The affected product is GitLab Enterprise Edition across multiple major releases. Versions prior to 18.9.7, specifically 11.9 through 18.8, as well as 18.10 versions older than 18.10.6 and 18.11 versions older than 18.11.3, are vulnerable. All other release lines are considered unaffected.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, with no presence in the CISA KEV catalog and an unavailable EPSS score. An attacker does not need authentication to coerce the vulnerability through the standard file upload path, thereby posing a risk to the availability of the entire GitLab instance. Although the exploit does not grant code execution, the potential for sustained outages makes the risk of exploitation non-negligible in environments with high availability requirements.

Generated by OpenCVE AI on May 14, 2026 at 07:50 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.9.7, 18.10.6, 18.11.3 or above.

OpenCVE Recommended Actions

  • Upgrade to GitLab EE 18.9.7 or later
  • If using GitLab EE 18.10, upgrade to 18.10.6 or later
  • If using GitLab EE 18.11, upgrade to 18.11.3 or later

Generated by OpenCVE AI on May 14, 2026 at 07:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 16 May 2026 03:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Thu, 14 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 06:00:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab EE affecting all versions from 11.9 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to cause denial of service by uploading a specially crafted file due to improper validation.
Title Deserialization of Untrusted Data in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-502
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-05-14T13:04:20.915Z

Reserved: 2026-01-19T12:33:32.638Z

Link: CVE-2026-1184

cve-icon Vulnrichment

Updated: 2026-05-14T13:04:17.382Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-14T06:16:21.190

Modified: 2026-05-16T03:37:47.420

Link: CVE-2026-1184

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T08:00:11Z

Weaknesses