CVE-2026-1868 - Vulnerability Details

- Improper Neutralization of Special Elements Used in a Template Engine in GitLab AI Gateway

Description

GitLab has remediated a vulnerability in the Duo Workflow Service component of GitLab AI Gateway affecting all versions of the AI Gateway from 18.1.6, 18.2.6, 18.3.1 to 18.6.1, 18.7.0, and 18.8.0 in which AI Gateway was vulnerable to insecure template expansion of user supplied data via crafted Duo Agent Platform Flow definitions. This vulnerability could be used to cause Denial of Service or gain code execution on the Gateway. This has been fixed in versions 18.6.2, 18.7.1, and 18.8.1 of the GitLab AI Gateway.

Published: 2026-02-09

Score: 9.9 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability is an improper neutralization of special elements used in the template engine of GitLab AI Gateway. User supplied data in Duo Agent Platform Flow definitions is insecurely expanded, which can lead to denial of service or execution of arbitrary code on the gateway. The weakness is classified as CWE-1336, indicating a template injection flaw that compromises code integrity and confidentiality.

Affected Systems

The affected product is GitLab AI Gateway. All self‑hosted versions from 18.1.6, 18.2.6, 18.3.1 up to and including 18.6.1, 18.7.0, and 18.8.0 are vulnerable. The issue is tracked under the CPE for GitLab AI Gateway and is fixed in releases 18.6.2, 18.7.1, and 18.8.1 or newer.

Risk and Exploitability

The CVSS score is 9.9, denoting critical severity. The EPSS score is under 1 %, indicating the likelihood of exploitation is very low at present. It is not listed in the CISA KEV catalog. Based on the description, the attack likely requires an attacker to supply a crafted Duo Workflow definition to the gateway, enabling insecure template expansion. The attack vector appears to be remote via the gateway's API or administrative interface, though the exact path is not explicitly detailed.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

GitLab

GitLab AI Gateway

unaffected

Version	Status	Constraints
`18.1.6`	affected	< 18.6.2
`18.7.0`	affected	< 18.7.1
`18.8.0`	affected	< 18.8.1

No data.

Vendor Product Confidence Versions

Gitlab

Ai-gateway

—

Version	Status	Scheme	Platform
`[18.1.6,18.6.2)`	affected	semver	—
`[18.7.0,18.7.1)`	affected	semver	—
`[18.8.0,18.8.1)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Upgrade self-hosted GitLab AI Gateway to version 18.6.2, 18.7.1, 18.8.1 or above.

OpenCVE Recommended Actions

Upgrade the GitLab AI Gateway to version 18.6.2, 18.7.1, 18.8.1, or any newer release.
If an upgrade is not immediately possible, restrict or disable the Duo Workflow Service component and block external access to the gateway’s administration endpoints.
Monitor gateway logs for abnormal template expansion activity and alert on any unauthorized flow modifications.

Generated by OpenCVE AI on April 17, 2026 at 21:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00041.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://about.gitlab.com/releases/2026/02/06/patch-release-gitlab-ai-gateway-18-8-1-released/
https://gitlab.com/gitlab-org/modelops/applied-ml/code-suggestions/ai-assist/-/work_items/1850

History

Mon, 09 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 09 Feb 2026 06:45:00 +0000

Type	Values Removed	Values Added
Description		GitLab has remediated a vulnerability in the Duo Workflow Service component of GitLab AI Gateway affecting all versions of the AI Gateway from 18.1.6, 18.2.6, 18.3.1 to 18.6.1, 18.7.0, and 18.8.0 in which AI Gateway was vulnerable to insecure template expansion of user supplied data via crafted Duo Agent Platform Flow definitions. This vulnerability could be used to cause Denial of Service or gain code execution on the Gateway. This has been fixed in versions 18.6.2, 18.7.1, and 18.8.1 of the GitLab AI Gateway.
Title		Improper Neutralization of Special Elements Used in a Template Engine in GitLab AI Gateway
First Time appeared		Gitlab Gitlab ai-gateway
Weaknesses		CWE-1336
CPEs		cpe:2.3:a:gitlab:ai-gateway::::::::
Vendors & Products		Gitlab Gitlab ai-gateway
References		https://about.gitlab.com/releases/2026/02/06/patch-release-gitlab-ai-gateway-18-8-1-released/ https://gitlab.com/gitlab-org/modelops/applied-ml/code-suggestions/ai-assist/-/work_items/1850
Metrics		cvssV3_1 `{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}`

Subscriptions

Gitlab Ai-gateway

MITRE

Status: PUBLISHED

Assigner: GitLab

Published: 2026-02-09T06:33:11.812Z

Updated: 2026-02-09T15:46:45.991Z

Reserved: 2026-02-03T22:33:13.212Z

Link: CVE-2026-1868

Vulnrichment

Updated: 2026-02-09T15:46:42.070Z

NVD

Status : Deferred

Published: 2026-02-09T07:16:18.250

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1868

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T21:45:28Z

Weaknesses

CWE-1336

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object