Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.4 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an unauthenticated user to cause Denial of Service by sending specially crafted requests to the Jira events endpoint.
Published: 2026-02-25
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Now
AI Analysis

Impact

GitLab Community Edition and Enterprise Edition contain a flaw that lets an unauthenticated user send specially crafted requests to the Jira events endpoint. The flaw causes the system to allocate resources without any limits or throttling, allowing the attacker to exhaust server resources and disrupt legitimate traffic. The primary impact is a denial of service to all users who rely on the affected GitLab instance.

Affected Systems

All supported GitLab Community Edition releases from 14.4 up to, but not including, 18.7.5, all Enterprise Edition releases from 14.4 up to, but not including, 18.7.5, the 18.8 series before 18.8.5, and the 18.9 series before 18.9.1 are affected. The issue applies to both community and enterprise editions and triggers when the Jira events API is called by an unauthenticated user.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.5, indicating high severity, while the EPSS score is below 1%, suggesting a low probability of exploitation in the wild. It is not listed in the CISA KEV catalog. An attacker can exploit it over the network by sending crafted HTTP POST requests to the Jira events endpoint without authentication. Successful exploitation can result in resource exhaustion and service interruption for all users of the GitLab instance.

Generated by OpenCVE AI on April 17, 2026 at 14:55 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.7.5, 18.8.5, 18.9.1 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab to version 18.7.5, 18.8.5, 18.9.1, or any later release on both the CE and EE versions.
  • Restrict unauthenticated access to the Jira events endpoint by enforcing authentication or role‑based access control.
  • Deploy a web application firewall rule or API gateway throttling mechanism to limit the rate of requests to the Jira events endpoint, preventing resource exhaustion.

Generated by OpenCVE AI on April 17, 2026 at 14:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Feb 2026 01:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:18.9.0:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:18.9.0:*:*:*:enterprise:*:*:*

Wed, 25 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.4 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an unauthenticated user to cause Denial of Service by sending specially crafted requests to the Jira events endpoint.
Title Allocation of Resources Without Limits or Throttling in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-770
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-02-26T15:10:46.924Z

Reserved: 2026-01-29T20:33:16.301Z

Link: CVE-2026-1662

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T21:16:36.670

Modified: 2026-02-28T00:45:30.697

Link: CVE-2026-1662

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:00:11Z

Weaknesses