Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an unauthenticated user to cause denial of service due to improper input validation in the API request parsing middleware.
Published: 2026-06-11
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GitLab’s API request parsing middleware improperly validates certain inputs, allowing an unauthenticated user to trigger excessive resource consumption. This flaw, classified as CWE‑770, can lead to a denial of service by exhausting system resources or blocking legitimate requests.

Affected Systems

The issue affects GitLab Community Edition and Enterprise Edition for all releases from 12.10 up to (but excluding) 18.10.8, 18.11 up to (but excluding) 18.11.5, and 19.0 up to (but excluding) 19.0.2. Any GitLab deployment within those ranges is potentially vulnerable.

Risk and Exploitability

The CVSS score of 7.5 indicates a high impact. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is an unauthenticated user sending specially crafted API requests to the GitLab server, resulting in resource exhaustion and service disruption.

Generated by OpenCVE AI on June 11, 2026 at 12:50 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.10.8, 18.11.5, 19.0.2 or above.

OpenCVE Recommended Actions

  • Apply the vendor‑issued patch by upgrading to GitLab 18.10.8, 18.11.5, 19.0.2 or any later release
  • Apply temporary rate‑limiting or firewall rules to the GitLab API endpoints to reduce the impact of potential abuse until a permanent patch is applied
  • Monitor GitLab logs for abnormal API activity and configure automated alerts to detect potential abuse

Generated by OpenCVE AI on June 11, 2026 at 12:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 11 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an unauthenticated user to cause denial of service due to improper input validation in the API request parsing middleware.
Title Allocation of Resources Without Limits or Throttling in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-770
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-06-11T12:27:15.170Z

Reserved: 2026-04-27T18:33:17.352Z

Link: CVE-2026-7250

cve-icon Vulnrichment

Updated: 2026-06-11T12:27:09.896Z

cve-icon NVD

Status : Received

Published: 2026-06-11T12:16:32.587

Modified: 2026-06-11T12:16:32.587

Link: CVE-2026-7250

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T13:00:15Z

Weaknesses
  • CWE-770

    Allocation of Resources Without Limits or Throttling