Skip to main content

GitLab EE CVE-2026-1184

| EUVD-2026-30219 MEDIUM
Deserialization of Untrusted Data (CWE-502)
2026-05-14 cve@gitlab.com GHSA-jfvp-pw77-78h3
Gitlab Deserialization Denial Of Service
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 11:25 vuln.today
Patch available
May 14, 2026 - 07:01 EUVD

DescriptionCVE.org

GitLab has remediated an issue in GitLab EE affecting all versions from 11.9 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to cause denial of service by uploading a specially crafted file due to improper validation.

AnalysisAI

Denial-of-service in GitLab Enterprise Edition allows a crafted file upload to exhaust service availability through improper deserialization validation. The vulnerability spans an exceptionally wide range, affecting all GitLab EE instances from version 11.9 through the 18.11 line until patched releases. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain network access to GitLab EE instance
Delivery
Authenticate with low-privilege account (or unauthenticated - see conflict note)
Exploit
Upload specially crafted file to vulnerable endpoint
Execution
Trigger improper deserialization during server-side file validation
Impact
Cause service availability failure
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The exploitation path requires the attacker to be able to reach a GitLab EE file upload endpoint over the network (AV:N, AC:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Multiple independent risk signals converge on a low-priority but non-trivial classification. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with access to a GitLab EE instance - whether unauthenticated or with a low-privilege account (per the conflicting signals in this record) - submits a specially crafted file through a GitLab upload endpoint. The malformed serialized payload bypasses input validation and triggers abnormal processing behavior in the deserialization layer, causing the GitLab service to become unavailable or severely degraded. …
Remediation Vendor-released patches are available. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55847 MEDIUM
6.1 Jun 19

Stored XSS in allure-generator (versions <= 2.38.1) allows arbitrary JavaScript execution in the browser of anyone who v
CVE-2026-55187 MEDIUM
5.8 Jun 19

Incomplete SSRF remediation in mailpit v1.29.2 through v1.30.1 leaves the Link Check API bypassable via IPv6 transition

CVE-2026-5139 MEDIUM
5.4 Jun 22

The /gitlab connect slash command in Mattermost fails to enforce administrator-level authorization on the setDefaultInst
CVE-2026-36849 HIGH
Jun 17

Denial of service in libtiff v4.7.1 and prior allows processing of a crafted TIFF file containing an abnormally large Sa

Share

CVE-2026-1184 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy