Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.1 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an authenticated user to cause denial of service due to insufficient validation.
Published: 2026-05-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a lack of limits or throttling on resource allocation in GitLab. Because of insufficient validation, an authenticated user can trigger excessive allocation that may exhaust system resources, resulting in a denial of service to all users. This weakness matches CWE‑770.

Affected Systems

Affected versions are all GitLab Community and Enterprise Edition releases from 17.1 up to 18.10.6, all 18.11 releases before 18.11.4, and all 19.0 releases before 19.0.1. The issue is mitigated in releases 18.10.7, 18.11.4, 19.0.1 and later.

Risk and Exploitability

The CVSS score is 6.5, indicating moderate severity. EPSS is not available, so exploitation probability data is lacking. The vulnerability is not listed in CISA's KEV catalog. Because the condition requires authentication, the likely attack vector is an internal or credentialed user who can trigger the vulnerable operation, potentially disrupting service for the entire user base.

Generated by OpenCVE AI on May 27, 2026 at 19:11 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.10.7, 18.11.4, 19.0.1 or above.

OpenCVE Recommended Actions

  • Upgrade all affected GitLab instances to version 18.10.7, 18.11.4, 19.0.1 or a later patched release.
  • Restrict privileged accounts that can invoke resource‑heavy operations, applying least‑privilege access controls.
  • Monitor CPU and memory usage for abnormal spikes and set alerts; consider temporary service restart or shutdown if a prolonged outage occurs.

Generated by OpenCVE AI on May 27, 2026 at 19:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:19.0.0:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:19.0.0:*:*:*:enterprise:*:*:*

Wed, 27 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 18:45:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.1 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an authenticated user to cause denial of service due to insufficient validation.
Title Allocation of Resources Without Limits or Throttling in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-770
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-05-27T18:53:49.218Z

Reserved: 2026-01-23T22:33:21.269Z

Link: CVE-2026-1402

cve-icon Vulnrichment

Updated: 2026-05-27T18:53:33.293Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T19:16:15.577

Modified: 2026-05-27T20:53:55.860

Link: CVE-2026-1402

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T03:15:05Z

Weaknesses