Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.5 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an unauthenticated user to cause a denial of service by making the GitLab instance unresponsive due to improper input validation in GraphQL request processing.
Published: 2026-03-25
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

GitLab includes an inefficient algorithmic flaw in its GraphQL request processing that weakens the system’s ability to handle malformed or overly complex queries. An unauthenticated attacker can exploit this by crafting a specialized GraphQL payload that forces the server to perform excessive computation, ultimately exhausting resources and rendering the instance unresponsive. The weakness is a classic example of a poor algorithmic complexity problem (CWE‑407) and directly impacts availability.

Affected Systems

This vulnerability is present in GitLab Community Edition and Enterprise Edition from version 18.5 through just before the patched releases of 18.8.7, 18.9.3, and 18.10.1. Both the community and enterprise variants of each affected version are susceptible, while any release equal to or newer than the mentioned patch numbers is considered safe.

Risk and Exploitability

The CVSS score of 7.5 classifies the flaw as high severity, yet the EPSS score of less than 1% and its absence from the CISA KEV catalog suggest limited current exploitation. The likely attack vector is over the public GraphQL endpoint; an attacker does not need authentication or special permissions, simply sending crafted queries that trigger the algorithmic inefficiency and cause service disruption.

Generated by OpenCVE AI on March 26, 2026 at 18:56 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.8.7, 18.9.3, 18.10.1 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab to version 18.8.7, 18.9.3, or 18.10.1 or newer
  • If upgrading is not immediately possible, block unauthenticated access to the GraphQL endpoint to prevent exploitation
  • Verify your installed GitLab version is not within the vulnerable range before making changes
  • Monitor logs and traffic for abnormal GraphQL activity that may indicate attempted exploitation

Generated by OpenCVE AI on March 26, 2026 at 18:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:18.10.0:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:18.10.0:*:*:*:enterprise:*:*:*

Wed, 25 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.5 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an unauthenticated user to cause a denial of service by making the GitLab instance unresponsive due to improper input validation in GraphQL request processing.
Title Inefficient Algorithmic Complexity in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-407
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-03-25T17:21:53.191Z

Reserved: 2026-03-11T15:37:07.048Z

Link: CVE-2026-3988

cve-icon Vulnrichment

Updated: 2026-03-25T17:21:50.667Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T17:17:09.553

Modified: 2026-03-26T17:42:09.273

Link: CVE-2026-3988

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:30:29Z

Weaknesses