CVE-2026-1456 - Vulnerability Details

- Allocation of Resources Without Limits or Throttling in GitLab

Description

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an unauthenticated user to cause denial of service through CPU exhaustion by submitting specially crafted markdown files that trigger exponential processing in markdown preview.

Published: 2026-02-11

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

GitLab introduced a flaw where freshly uploaded markdown could be processed without any limits, resulting in exponential growth in processing time and CPU consumption. An unauthenticated user can trigger this by crafting a special markdown file, leading to a denial of service that impairs the availability of the entire instance. The weakness is a classic example of Resource Exhaustion, categorized as CWE-770.

Affected Systems

GitLab Community and Enterprise editions are affected. Versions 18.7 and 18.8 that fall below the patch releases 18.7.4 and 18.8.4 are vulnerable. All earlier 18.7.x and 18.8.x deployments must be upgraded to the indicated versions or later.

Risk and Exploitability

The vulnerability has a CVSS score of 6.5, indicating a moderately high severity impact and exploitation difficulty. EPSS is less than 1%, suggesting that the likelihood of real-world exploitation is currently low, and the issue is not listed in the CISA KEV catalog. Attackers need only an unauthenticated web session and can submit a markdown file to the preview endpoint. The vulnerability does not require privileged access or remote code execution; it simply taxes system resources until the instance becomes unusable.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

GitLab

unaffected

Version	Status	Constraints
`18.7`	affected	< 18.7.4
`18.8`	affected	< 18.8.4

Configuration 1 [-]

OR	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*

No data.

Vendor Product Confidence Versions

Gitlab

—

Version	Status	Scheme	Platform
`[18.7,18.7.4)`	affected	semver	—
`[18.8,18.8.4)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Upgrade to versions 18.7.4, 18.8.4 or above.

OpenCVE Recommended Actions

Apply the vendor patch by upgrading to GitLab 18.7.4 or 18.8.4 or newer.
If upgrading cannot be performed immediately, temporarily restrict or disable markdown preview functionality for unauthenticated users and enforce rate limiting on the markdown preview endpoint to prevent excessive CPU usage.
Monitor system performance metrics including CPU utilization and memory usage for spikes associated with markdown rendering, and configure alerts to notify administrators of potential abuse; consider deploying a dedicated reverse proxy that limits concurrent preview requests.

Generated by OpenCVE AI on April 18, 2026 at 12:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00038.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://about.gitlab.com/releases/2026/02/10/patch-release-gitlab-18-8-4-released/
https://gitlab.com/gitlab-org/gitlab/-/issues/587688
https://hackerone.com/reports/3517928

History

Thu, 12 Feb 2026 21:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:gitlab:gitlab:::::community:::* cpe:2.3:a:gitlab:gitlab:::::enterprise:::*

Wed, 11 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 11 Feb 2026 11:30:00 +0000

Type	Values Removed	Values Added
Description		GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an unauthenticated user to cause denial of service through CPU exhaustion by submitting specially crafted markdown files that trigger exponential processing in markdown preview.
Title		Allocation of Resources Without Limits or Throttling in GitLab
First Time appeared		Gitlab Gitlab gitlab
Weaknesses		CWE-770
CPEs		cpe:2.3:a:gitlab:gitlab::::::::
Vendors & Products		Gitlab Gitlab gitlab
References		https://about.gitlab.com/releases/2026/02/10/patch-release-gitlab-18-8-4-released/ https://gitlab.com/gitlab-org/gitlab/-/issues/587688 https://hackerone.com/reports/3517928
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Gitlab Gitlab

MITRE

Status: PUBLISHED

Assigner: GitLab

Published: 2026-02-11T11:04:15.246Z

Updated: 2026-02-11T15:40:00.821Z

Reserved: 2026-01-26T20:33:14.058Z

Link: CVE-2026-1456

Vulnrichment

Updated: 2026-02-11T15:39:55.633Z

NVD

Status : Analyzed

Published: 2026-02-11T12:16:04.703

Modified: 2026-02-12T21:39:23.503

Link: CVE-2026-1456

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T12:45:45Z

Weaknesses

CWE-770

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object