Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user to cause denial of service due to uncontrolled resource consumption when processing a specially crafted file upload.
Published: 2026-06-11
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GitLab’s resource allocation flaw allows an authenticated user to trigger a denial of service by uploading a specially crafted file that consumes excessive CPU or memory without any limits or throttling. The vulnerability is classified as CWE‑770 and can cause the application to become unresponsive, affecting confidentiality and integrity if the service is unavailable to legitimate users.

Affected Systems

The issue impacts GitLab Community and Enterprise Editions from version 17.10 up to but not including 18.10.8, 18.11.5, and 19.0.2. Users running these older releases are at risk if they have enabled file upload features for authenticated accounts.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity, but because the flaw requires authenticated access and a specific upload scenario, the likelihood of exploitation is low in the absence of a public exploit. The vulnerability is not listed in CISA KEV and no EPSS score is available. If an attacker can sidestep or abuse upload controls within GitLab, they could cause repetitive service disruption and potentially exhaust resources, leading to a denial of service for all users.

Generated by OpenCVE AI on June 11, 2026 at 12:22 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.10.8, 18.11.5, 19.0.2 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab to version 18.10.8, 18.11.5, 19.0.2 or later to receive the vendor fix
  • If an upgrade is delayed, temporarily disable file uploads for authenticated users or enforce strict upload size limits to reduce resource exhaustion risk
  • Review and tighten GitLab's audit log and resource quota settings so that unexpected large uploads are detected early and throttled

Generated by OpenCVE AI on June 11, 2026 at 12:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 11 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user to cause denial of service due to uncontrolled resource consumption when processing a specially crafted file upload.
Title Allocation of Resources Without Limits or Throttling in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-770
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-06-11T12:20:51.347Z

Reserved: 2026-01-27T18:04:29.176Z

Link: CVE-2026-1500

cve-icon Vulnrichment

Updated: 2026-06-11T12:20:47.034Z

cve-icon NVD

Status : Received

Published: 2026-06-11T12:16:31.073

Modified: 2026-06-11T12:16:31.073

Link: CVE-2026-1500

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T12:30:14Z

Weaknesses
  • CWE-770

    Allocation of Resources Without Limits or Throttling