Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.0 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to cause denial of service by sending specially crafted requests due to insufficient input validation.
Published: 2026-05-14
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability originates from insufficient input validation in GitLab’s handling of incoming requests. An unauthenticated user can send specially crafted requests that cause GitLab to allocate resources without any limits or throttling, leading to server resource exhaustion and resulting in a denial of service.

Affected Systems

The affected vendor is GitLab, product GitLab. All community and enterprise editions from version 9.0 up to, but not including, 18.9.7, all 18.10 releases before 18.10.6, and all 18.11 releases before 18.11.3 are impacted. Upgrading to 18.9.7, 18.10.6, 18.11.3 or any newer release removes the flaw.

Risk and Exploitability

The CVSS score of 7.5 classifies the vulnerability as high severity. Since no EPSS value is published, the exploitation probability cannot be quantified, but the lack of authentication requirement means any external actor can test the issue. The vulnerability is not listed in the CISA KEV catalog. An attacker can trigger the denial of service by submitting crafted requests from the internet, making the exploitation vector likely to be through HTTP/HTTPS traffic. Implementing safeguards such as rate limiting could reduce impact until a patch is applied.

Generated by OpenCVE AI on May 14, 2026 at 07:23 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.9.7, 18.10.6, 18.11.3 or above.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading GitLab to version 18.9.7, 18.10.6, 18.11.3 or later.
  • Configure HTTP request throttling or rate limiting on the GitLab instance to mitigate resource exhaustion until the patch is deployed.
  • Monitor GitLab process memory and connection counts to detect potential denial‑of‑service attacks and alert administrators promptly.

Generated by OpenCVE AI on May 14, 2026 at 07:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Thu, 14 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 06:00:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.0 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to cause denial of service by sending specially crafted requests due to insufficient input validation.
Title Allocation of Resources Without Limits or Throttling in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-770
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-05-14T13:00:59.317Z

Reserved: 2026-01-29T20:03:47.704Z

Link: CVE-2026-1659

cve-icon Vulnrichment

Updated: 2026-05-14T13:00:44.495Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-14T06:16:21.667

Modified: 2026-05-15T19:58:58.897

Link: CVE-2026-1659

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T08:00:10Z

Weaknesses