Skip to main content

GitLab CE/EE EUVD-2026-36227

| CVE-2026-7250 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-06-11 GitLab GHSA-cx4g-hr74-m89m
Gitlab Denial Of Service
7.5
CVSS 3.1 · Vendor: GitLab
Share

Severity by source

Vendor (GitLab) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

API is network-reachable with no auth or interaction (AV:N/AC:L/PR:N/UI:N); impact is availability-only via worker exhaustion (C:N/I:N/A:H), scope unchanged.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitLab).

CVSS VectorVendor: GitLab

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch available
Jun 11, 2026 - 13:01 EUVD
Analysis Generated
Jun 11, 2026 - 11:52 vuln.today
CVE Published
Jun 11, 2026 - 10:20 cve.org
HIGH 7.5

DescriptionCVE.org

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an unauthenticated user to cause denial of service due to improper input validation in the API request parsing middleware.

Articles & Coverage 2

News 5 New GitLab Vulnerabilities - 5 High Severity, 4 With POC Jun 12, 2026 News 4 New GitLab Vulnerabilities - 4 High Severity, All With POC Jun 11, 2026

AnalysisAI

Denial of service in GitLab CE/EE versions 12.10 through 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 allows unauthenticated remote attackers to crash or degrade the API request parsing middleware via malformed input. Publicly available exploit code exists (HackerOne report 3671995), and the CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/A:H) reflects trivially-reachable, no-auth exploitation against any internet-exposed GitLab instance. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed GitLab API endpoint
Delivery
Craft malformed API request
Exploit
Send request to parsing middleware
Execution
Trigger unbounded resource allocation
Persist
Exhaust workers and memory
Impact
Service becomes unavailable
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The GitLab instance must expose its HTTP(S) API to the attacker - typical for both SaaS and self-managed deployments since the API is reachable on the same listener as the web UI by default. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Risk signals are mixed-to-elevated. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker scans the internet for GitLab instances on TCP/443 and sends a small volume of crafted HTTP requests to a public API endpoint (e.g., /api/v4/projects) containing malformed input that the parsing middleware fails to bound. The middleware consumes excessive memory or CPU per request, exhausting Puma workers and rendering the GitLab web UI, API, Git operations over HTTPS, and CI/CD pipelines unavailable until workers are restarted. …
Remediation Vendor-released patches: upgrade to GitLab 18.10.8, 18.11.5, or 19.0.2 (or later) as described in the June 10, 2026 patch release notes at https://about.gitlab.com/releases/2026/06/10/patch-release-gitlab-19-0-2-released/. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all internet-exposed GitLab instances and document their versions; implement rate limiting on API endpoints and deploy Web Application Firewall rules to block malformed requests. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-8589 HIGH POC
8.7 Jun 11

Stored cross-site scripting and account integrity abuse in GitLab Enterprise Edition versions 13.1.4 through 18.10.7, 18
CVE-2026-10087 HIGH POC
8.7 Jun 11

Stored cross-site scripting in GitLab Enterprise Edition's Analytics Dashboard allows an authenticated developer-role us
CVE-2026-6552 HIGH POC
8.7 Jun 11

Account takeover in GitLab Enterprise Edition versions 15.5 through 19.0.2 allows an authenticated group Owner to hijack
CVE-2026-1500 MEDIUM POC
6.5 Jun 11

Uncontrolled resource consumption in GitLab CE/EE's file upload processing pipeline enables any authenticated user to tr
CVE-2026-6269 MEDIUM POC
5.4 Jun 11

Incorrect authorization enforcement in GitLab CE/EE exposes hidden merge requests to unauthorized modification by authen

Share

EUVD-2026-36227 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy