Description
GitLab has remediated an issue in GitLab EE affecting all versions from 15.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an authenticated user to cause Denial of Service by uploading a malicious file and repeatedly querying it through GraphQl.
Published: 2026-02-11
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

GitLab implements a resource exhaustion flaw that allows an authenticated user to upload a malicious file and repeatedly query it through GraphQL, causing the application to allocate memory and CPU resources without limit, ultimately resulting in a denial of service.

Affected Systems

The affected product is GitLab Enterprise Edition. All GitLab EE releases from version 15.6 up to, but not including, 18.6.6; version 18.7 up to, but not including, 18.7.4; and version 18.8 up to, but not including, 18.8.4 are impacted. The vendor recommends upgrading to GitLab 18.6.6, 18.7.4, 18.8.4 or later to remediate the issue.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate to high severity. The EPSS score of less than 1% implies a very low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attacker would need authenticated access to the system and must repeatedly execute GraphQL queries targeting a maliciously uploaded file. If these requests are unthrottled, the application can become overwhelmed, leading to service interruption for users.

Generated by OpenCVE AI on April 17, 2026 at 20:24 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.6.6, 18.7.4, 18.8.4 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab to at least version 18.6.6, 18.7.4, or 18.8.4.
  • If an upgrade cannot be performed immediately, limit the rate of GraphQL queries per authenticated user or temporarily revoke permissions for uploading and querying files that can trigger heavy resource usage.
  • Deploy monitoring to detect unusually high memory or CPU consumption associated with file uploads or GraphQL activity, and take corrective action such as throttling or scaling resources accordingly.

Generated by OpenCVE AI on April 17, 2026 at 20:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Wed, 11 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 11:30:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab EE affecting all versions from 15.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an authenticated user to cause Denial of Service by uploading a malicious file and repeatedly querying it through GraphQl.
Title Allocation of Resources Without Limits or Throttling in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-770
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-02-11T21:17:29.372Z

Reserved: 2026-01-23T20:33:15.394Z

Link: CVE-2026-1387

cve-icon Vulnrichment

Updated: 2026-02-11T21:17:26.639Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-11T12:16:04.547

Modified: 2026-02-12T21:34:48.907

Link: CVE-2026-1387

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:30:15Z

Weaknesses