Description
GitLab has remediated an issue in GitLab CE/EE affecting versions from 18.9 before 18.9.1 that could have under certain conditions, allowed an unauthenticated user to cause denial of service by sending specially crafted requests to a CI jobs API endpoint.
Published: 2026-02-25
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via Resource Exhaustion
Action: Apply Patch
AI Analysis

Impact

GitLab versions before 18.9.1 enable unauthenticated users to send crafted requests to the CI jobs API which can consume unbounded system resources, leading to denial of service. This vulnerability stems from an uncontrolled allocation of resources without limits or throttling, classified as CWE‑770.

Affected Systems

The affected products are GitLab Community Edition and Enterprise Edition running any 18.9.x release before version 18.9.1, including all 18.9.0 installations. Upgrading to 18.9.1 or a later patch level resolves the issue.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while the EPSS less than 1% suggests a low likelihood of exploitation at present. The vulnerability is not listed in CISA KEV. Exploitation requires sending crafted API requests without authentication, presumably over the network; no privileged access is needed.

Generated by OpenCVE AI on April 18, 2026 at 10:36 UTC.

Remediation

Vendor Solution

Upgrade to version 18.9.1 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab to version 18.9.1 or later to apply the vendor fix.
  • Implement API rate limiting or connection throttling to reduce resource exhaustion opportunities.
  • Configure firewall rules or network segmentation to restrict untrusted access to the CI jobs API endpoint.

Generated by OpenCVE AI on April 18, 2026 at 10:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:18.9.0:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:18.9.0:*:*:*:enterprise:*:*:*

Thu, 26 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting versions from 18.9 before 18.9.1 that could have under certain conditions, allowed an unauthenticated user to cause denial of service by sending specially crafted requests to a CI jobs API endpoint.
Title Allocation of Resources Without Limits or Throttling in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-770
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-02-26T15:42:29.688Z

Reserved: 2026-01-30T21:33:13.654Z

Link: CVE-2026-1725

cve-icon Vulnrichment

Updated: 2026-02-26T15:42:22.016Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T21:16:36.833

Modified: 2026-02-28T01:06:15.320

Link: CVE-2026-1725

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:45:43Z

Weaknesses