Description
An issue has been discovered in GitLab CE/EE affecting all versions from 11.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an authenticated user to cause denial of service by exploiting a Bitbucket Server import endpoint via repeatedly sending large responses.
Published: 2026-02-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

The vulnerability arises from a lack of resource limits or throttling for an internal import endpoint. An attacker who authenticates to GitLab can repeatedly trigger the Bitbucket Server import feature with large responses, allowing them to exhaust memory or processing resources and bring the application to a halt.

Affected Systems

Affected products include GitLab Community Edition and Enterprise Edition. Vulnerable versions are all releases from 11.2 up to, but not including, 18.7.5; from 18.8.0 to 18.8.4; and the 18.9.0 release. The issue was fixed in GitLab 18.7.5, 18.8.5, and 18.9.1 respectively.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests exploitation is unlikely at present. The vulnerability is not in the CISA KEV list. Exploitation requires valid user credentials and leverages the import endpoint to flood server resources. Administrators should therefore upgrade promptly or temporarily restrict that endpoint.

Generated by OpenCVE AI on April 17, 2026 at 14:56 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.7.5, 18.8.5, 18.9.1 or above.

OpenCVE Recommended Actions

  • Apply the recommended GitLab patch and upgrade to version 18.7.5, 18.8.5, 18.9.1 or newer.
  • If upgrading immediately is not possible, disable or restrict access to the Bitbucket Server import endpoint to prevent resource exhaustion attacks.
  • Configure or enable appropriate resource limits and throttling for import operations to mitigate future exploitation attempts.

Generated by OpenCVE AI on April 17, 2026 at 14:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Feb 2026 02:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 28 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:18.9.0:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:18.9.0:*:*:*:enterprise:*:*:*

Wed, 25 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
Description An issue has been discovered in GitLab CE/EE affecting all versions from 11.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an authenticated user to cause denial of service by exploiting a Bitbucket Server import endpoint via repeatedly sending large responses.
Title Allocation of Resources Without Limits or Throttling in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-770
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-02-26T15:45:14.406Z

Reserved: 2026-02-20T06:04:23.184Z

Link: CVE-2026-2845

cve-icon Vulnrichment

Updated: 2026-02-26T15:45:02.580Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T21:16:44.547

Modified: 2026-02-28T01:05:22.467

Link: CVE-2026-2845

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:00:11Z

Weaknesses