CVE-2020-26409
Description
A DOS vulnerability exists in Gitlab CE/EE >=10.3, <13.4.7,>=13.5, <13.5.5,>=13.6, <13.6.2 that allows an attacker to trigger uncontrolled resource by bypassing input validation in markdown fields.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A DOS vulnerability in GitLab CE/EE allows uncontrolled resource consumption via crafted Mermaid code blocks in Markdown fields, leading to browser freeze.
Vulnerability
GitLab CE/EE versions 10.3 through 13.4.6, 13.5.0 through 13.5.4, and 13.6.0 through 13.6.1 are vulnerable to a denial-of-service (DoS) via uncontrolled resource consumption. The vulnerability exists in the rendering of Mermaid diagrams in Markdown fields. Input validation intended to limit Mermaid content to 5000 characters can be bypassed by splitting a long payload into multiple smaller Mermaid code blocks, leading to excessive resource consumption during rendering [1].
Exploitation
An authenticated attacker with the ability to add Markdown content (e.g., issue comments, merge request descriptions, or commit messages) can craft a page containing a large number of Mermaid code blocks. When the page is viewed, the browser attempts to render all Mermaid diagrams simultaneously, causing high CPU usage and potential browser freeze or crash. No special privileges beyond standard user access are required [1].
Impact
Successful exploitation results in a denial-of-service condition affecting the client-side browser. The attacker can cause persistent performance degradation for any user viewing the affected page, potentially preventing normal use of GitLab features. No data confidentiality or integrity is compromised.
Mitigation
The issue is fixed in GitLab CE/EE versions 13.4.7, 13.5.5, and 13.6.2. Users should upgrade to these versions or later. No workarounds are available. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3>=10.3, <13.4.7; >=13.5, <13.5.5; >=13.6, <13.6.2+ 1 more
- (no CPE)range: >=10.3, <13.4.7; >=13.5, <13.5.5; >=13.6, <13.6.2
- (no CPE)range: >=10.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Input validation bypass: a per-block character limit on Mermaid code blocks can be circumvented by splitting a large payload across many small blocks, leading to uncontrolled resource consumption during rendering."
Attack vector
An authenticated attacker can post Markdown content containing many small Mermaid code blocks, each under the 5000-character limit, on any page that supports Markdown with Mermaid (e.g., issue comments, README files). When the page is rendered, the browser attempts to process each Mermaid block, causing uncontrolled CPU consumption that freezes the browser tab and may crash the entire browser [ref_id=1].
Affected code
The vulnerability exists in the Markdown rendering pipeline that processes Mermaid code blocks. The issue is that a per-block character limit of 5000 characters was applied as a mitigation for earlier CVEs, but no limit was placed on the total number of Mermaid blocks allowed in a single Markdown input [ref_id=1].
What the fix does
The advisory does not include a patch diff, but the recommended fix is to add a mechanism that detects and limits the total number of Mermaid code blocks in a user's input before rendering begins [ref_id=1]. This would prevent an attacker from bypassing the per-block character limit by splitting a large payload across many small blocks.
Preconditions
- authAttacker must be authenticated to GitLab
- inputAttacker must have access to a page that accepts Markdown with Mermaid (e.g., issue comments, README files)
Reproduction
1. Sign in to GitLab. 2. Open any page where you can input Markdown text using Mermaid into the form. 3. Copy and paste the contents of the attached file ("poc.txt") to the input form. 4. Save the Markdown text on the page you opened (e.g., click "Comment" on an Issue page or save a "Readme.md" file). 5. The page freezes and the browser tab shows 100% CPU usage for a long time [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26409.jsonmitrex_refsource_CONFIRM
- gitlab.com/gitlab-org/gitlab/-/issues/259626mitrex_refsource_MISC
- hackerone.com/reports/990461mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.