Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an unauthenticated user to cause denial of service by uploading malicious files.
Published: 2026-02-11
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

GitLab has a vulnerability that permits an unauthenticated user to upload malicious files under certain conditions, which can lead to a denial of service. The flaw arises from allocating resources without limits or throttling when handling file uploads, allowing an attacker to exhaust server resources. This issue is classified as CWE‑434 (Unrestricted Upload of File with Dangerous Type) and CWE‑770 (Allocation of Resources Without Limits or Throttling).

Affected Systems

The vulnerability affects GitLab Community Edition and Enterprise Edition. All releases from version 8.0 up to, but not including, 18.6.6, 18.7.4, and 18.8.4 are impacted. The vendor’s fix is available in GitLab 18.6.6, 18.7.4, 18.8.4 and later releases.

Risk and Exploitability

The flaw carries a CVSS score of 6.5, indicating moderate severity. The EPSS score is less than 1%, suggesting a low probability of exploitation, though the vulnerability is not listed in CISA's KEV catalog. The likely attack vector is remote, as the condition can be triggered by uploading files via the public web interface without authentication. Trusted privileges are not required, but the denial of service impact could affect the availability of exposed GitLab instances. Given the moderate difficulty of exploitation and the downstream impact on service availability, the risk is significant for systems lacking the vendor patch or mitigating controls.

Generated by OpenCVE AI on April 17, 2026 at 20:25 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.6.6, 18.7.4, 18.8.4 or above.

OpenCVE Recommended Actions

  • Upgrade to GitLab version 18.6.6, 18.7.4, 18.8.4, or later to apply the vendor‑provided fix.
  • If an immediate patch is unavailable, configure GitLab to disallow unauthenticated file uploads and enforce strict file‑size limits to mitigate the impact.
  • After applying the patch or configuration changes, monitor GitLab logs for upload attempts and confirm that system resources remain stable.

Generated by OpenCVE AI on April 17, 2026 at 20:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-434
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Wed, 11 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 11:30:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an unauthenticated user to cause denial of service by uploading malicious files.
Title Allocation of Resources Without Limits or Throttling in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-770
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-02-11T15:42:58.333Z

Reserved: 2026-01-26T22:03:49.116Z

Link: CVE-2026-1458

cve-icon Vulnrichment

Updated: 2026-02-11T15:42:48.923Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-11T12:16:04.847

Modified: 2026-02-12T21:58:51.670

Link: CVE-2026-1458

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:30:15Z

Weaknesses