PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-14869 Hackerone CVE debrief

CVE-2025-14869 describes a GitLab CE/EE availability issue where an unauthenticated attacker could send specially crafted payloads to certain API endpoints and trigger denial of service. GitLab’s remediation covers affected releases from 18.5 up to, but not including, 18.9.7, 18.10.6, and 18.11.3. Because the issue is network-exploitable and requires no authentication, exposed GitLab instances should treat this as a high-priority patch item.

Vendor
Hackerone
Product
Unknown
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-14
Original CVE updated
2026-05-14
Advisory published
2026-05-14
Advisory updated
2026-05-14

Who should care

GitLab CE/EE administrators, especially teams running internet-facing instances or exposing GitLab APIs to broad internal or external networks, should prioritize this advisory. Security and platform teams responsible for upgrade management, reverse proxies, and service availability monitoring should also review it.

Technical summary

The advisory states that certain GitLab API endpoints could be abused with specially crafted payloads by an unauthenticated user, resulting in denial of service. The source data maps the issue to CWE-1284 (Improper Validation of Specified Quantity in Input) and assigns CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, reflecting a network-reachable, low-complexity, unauthenticated availability impact. Affected versions are GitLab CE/EE 18.5 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3.

Defensive priority

High. The combination of unauthenticated access, network reachability, and high availability impact makes this a strong patch priority for any exposed GitLab deployment.

Recommended defensive actions

  • Upgrade GitLab CE/EE to 18.9.7, 18.10.6, or 18.11.3, depending on your release track.
  • Confirm all self-managed instances are on a fixed release and that no older nodes remain in a cluster or failover pair.
  • Review API exposure and reduce access to GitLab endpoints where practical, especially from untrusted networks.
  • Monitor recent logs and service health for signs of request spikes, endpoint instability, or unexpected process restarts.
  • If immediate upgrading is not possible, apply compensating network controls such as tighter allowlists, proxy filtering, and rate limiting.
  • Track vendor release notes and internal change windows to ensure the patch is fully deployed across all environments.

Evidence notes

Source data comes from the GitHub Advisory Database entry for GHSA-9xp2-wmw3-fm7w, which is marked advisoryType: unreviewed, and references the official NVD record, a HackerOne report, a GitLab patch-release announcement, and a GitLab work item. The supplied record states the issue affects GitLab CE/EE versions from 18.5 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3, and that an unauthenticated user could cause denial of service by sending specially crafted payloads on certain API endpoints. CVE publication timing used here is the supplied CVE publishedAt date of 2026-05-14.

Official resources

The CVE record and source advisory were published on 2026-05-14. The referenced GitLab patch-release announcement is dated 2026-05-13, so the public CVE disclosure followed the vendor patch context by one day in the supplied timeline.