CVE-2026-1402 GitLab CVE debrief

Who should care

Organizations running self-managed GitLab CE/EE instances, particularly those with large user bases or public-facing installations where authenticated access is broadly available. DevOps teams and platform engineers responsible for GitLab infrastructure availability should prioritize patching to prevent service disruption.

Technical summary

This vulnerability in GitLab CE/EE allows authenticated users to trigger denial of service through insufficient validation of user-controlled input or operations. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) indicates a network-accessible attack with low complexity, requiring authenticated access but no user interaction, resulting in high availability impact. The root cause is classified under CWE-770, suggesting inadequate resource allocation limits or throttling mechanisms. Affected versions span multiple release branches from 17.1 through 19.0.0, with comprehensive patches released across all supported minor versions.

Defensive priority

medium

Recommended defensive actions

• Upgrade GitLab CE/EE to version 18.10.7, 18.11.4, or 19.0.1 or later, depending on your current major version branch.
• If immediate patching is not feasible, review and restrict authenticated user permissions where possible to reduce attack surface.
• Monitor GitLab instance performance and resource utilization for signs of anomalous consumption that may indicate exploitation attempts.
• Review HackerOne report 3517283 for technical details if you have appropriate access permissions.

Evidence notes

The CVE description and affected version ranges are sourced from NVD CPE criteria and GitLab's official release notes. CVSS vector confirms network attack vector with low attack complexity, requiring low privileges and no user interaction, with high availability impact.

Official resources