Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an unauthenticated user to cause regular expression denial of service by sending specially crafted input to a merge request endpoint under certain conditions.
Published: 2026-02-25
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Regular Expression Denial of Service that can exhaust GitLab server resources
Action: Patch Now
AI Analysis

Impact

GitLab versions before 18.7.5, 18.8.5, and 18.9.1 may run a regular expression on data submitted to a merge request endpoint, allowing an attacker to send specially crafted input that causes the expression to backtrack heavily. The resulting CPU and memory consumption can disrupt service availability for the repository host. This flaw is a classic regular‑expression denial of service, identified as CWE‑1333.

Affected Systems

All GitLab Community and Enterprise Editions from version 9.2 up to, but not including, 18.7.5, 18.8.5, and 18.9.1 are affected. The vulnerability applies to merge request operations across both community and enterprise deployments, regardless of the underlying operating system or operating mode.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.5, indicating a high impact. The EPSS score is listed as < 1%, so the likelihood of real‑world exploitation is low at present, and the issue is not yet cataloged in CISA’s KEV list. However, because the flaw can be triggered by an unauthenticated user via a standard HTTP API call to the merge request endpoint, it is easily reachable over the network. If exploited, an attacker could slow or freeze the GitLab instance until resources are exhausted or until the service is restored. Given the higher severity and the availability of a public fix, the risk demands prompt mitigation.

Generated by OpenCVE AI on April 17, 2026 at 14:55 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.7.5, 18.8.5, 18.9.1 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab to at least version 18.7.5 for the Community Edition or 18.8.5 for the Enterprise Edition, or to any newer release such as 18.9.1.
  • Restart all GitLab services to ensure the updated code is loaded and the vulnerability is no longer present.
  • If upgrading immediately is not possible, implement rate limiting or input size restrictions on the merge request API to reduce the impact of a potential regular‑expression denial of service.

Generated by OpenCVE AI on April 17, 2026 at 14:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Feb 2026 01:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:18.9.0:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:18.9.0:*:*:*:enterprise:*:*:*

Fri, 27 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an unauthenticated user to cause regular expression denial of service by sending specially crafted input to a merge request endpoint under certain conditions.
Title Inefficient Regular Expression Complexity in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-1333
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-02-26T15:07:56.004Z

Reserved: 2026-01-23T20:33:20.246Z

Link: CVE-2026-1388

cve-icon Vulnrichment

Updated: 2026-02-26T15:07:27.804Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T21:16:36.500

Modified: 2026-02-28T00:45:36.973

Link: CVE-2026-1388

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:00:11Z

Weaknesses