Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.3 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that under certain conditions could have allowed an authenticated user to cause denial of service when importing issues due to improper input validation.
Published: 2026-04-22
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

An authenticated user can trigger resource exhaustion by importing a large number of issues, causing the GitLab instance to become unresponsive. The flaw stems from missing limits or throttling during input validation, allowing an attacker to overwhelm server resources. This results in denial of service for all users accessing the platform.

Affected Systems

Both the Community Edition and Enterprise Edition of GitLab, from version 12.3 up to and excluding 18.9.6, 18.10.4, and 18.11.1, are vulnerable. Any deployment that has not been upgraded to these patches is at risk.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity, and the current EPSS score is not available, with the vulnerability not listed in CISA KEV. The exploit requires the attacker to have valid credentials with issue‑import privileges; if successful, it can disrupt overall service availability but does not compromise data confidentiality or integrity.

Generated by OpenCVE AI on April 22, 2026 at 18:22 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.9.6, 18.10.4, 18.11.1 or above.

OpenCVE Recommended Actions

  • Upgrade to GitLab 18.9.6, 18.10.4, 18.11.1 or later
  • Limit the number of issues that may be imported in a single request to conserve system resources
  • Monitor server resource usage for abnormal spikes during issue import operations

Generated by OpenCVE AI on April 22, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.3 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that under certain conditions could have allowed an authenticated user to cause denial of service when importing issues due to improper input validation.
Title Allocation of Resources Without Limits or Throttling in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-770
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-04-22T17:39:02.958Z

Reserved: 2026-01-29T20:03:52.499Z

Link: CVE-2026-1660

cve-icon Vulnrichment

Updated: 2026-04-22T17:38:46.105Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-22T17:16:33.697

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-1660

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T19:15:24Z

Weaknesses