Medium severity6.5NVD Advisory· Published May 27, 2026· Updated May 27, 2026

CVE-2026-1402

Description

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.1 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an authenticated user to cause denial of service due to insufficient validation.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An authenticated user can cause denial of service in GitLab CE/EE due to insufficient input validation in certain conditions.

Vulnerability

GitLab CE/EE versions from 17.1 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 contain a vulnerability where insufficient validation of user-supplied input under specific conditions allows an authenticated user to trigger a denial of service [1]. The exact code path is not publicly detailed, but the issue resides in the application's request handling logic.

Exploitation

An attacker must be an authenticated user of the GitLab instance. No additional privileges beyond standard user access are required. The attacker sends crafted requests that exploit the validation flaw, causing the application to consume excessive resources or enter an unresponsive state [1]. The specific sequence of steps is not disclosed in the available reference.

Impact

Successful exploitation results in a denial of service, rendering the GitLab instance unavailable or severely degraded for legitimate users. No data confidentiality or integrity impact has been reported [1].

Mitigation

GitLab has released fixed versions: 18.10.7, 18.11.4, and 19.0.1 on 2026-05-27 [1]. Users should upgrade to one of these versions immediately. No workarounds are documented.

References

GitLab release notes | GitLab Docs

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

GitLab Inc./GitLabreferences
GitLab Inc./GitLab CE/EEllm-fuzzy
Range: >=17.1, <18.10.7 || >=18.11, <18.11.4 || >=19.0, <19.0.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

about.gitlab.com/releases/2026/05/27/patch-release-gitlab-19-0-1-released/nvdRelease Notes
hackerone.com/reports/3517283nvdPermissions Required

News mentions

GitLab Patch Release: 19.0.1, 18.11.4, 18.10.7
GitLab Security Releases · May 27, 2026

cvss	0.423
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000