Plattform
gitlab
Komponente
gitlab
Behoben in
18.8.9
18.9.5
18.10.3
CVE-2026-1092 represents a Denial of Service (DoS) vulnerability discovered in GitLab Community Edition (CE) and Enterprise Edition (EE). This flaw allows an unauthenticated attacker to disrupt GitLab services by exploiting improper input validation of JSON payloads. The vulnerability impacts versions ranging from 12.10.0 through 18.10.3, posing a significant risk to organizations relying on GitLab for version control and collaboration. GitLab has released a patch in version 18.10.3 to address this issue.
The primary impact of CVE-2026-1092 is a denial of service. A malicious actor can craft specially designed JSON payloads and send them to GitLab, overwhelming the server's resources and rendering it unresponsive to legitimate users. This can lead to significant downtime, impacting development workflows, CI/CD pipelines, and overall productivity. The unauthenticated nature of the exploit means an attacker doesn't need credentials to trigger the DoS, widening the potential attack surface. While the vulnerability doesn't directly expose sensitive data, prolonged service disruption can indirectly lead to data loss or corruption if critical processes are interrupted. The blast radius extends to all users of the affected GitLab instance.
CVE-2026-1092 was published on April 8, 2026. Its severity is rated as High with a CVSS score of 7.5. Public proof-of-concept (POC) code is currently unavailable, but the vulnerability's ease of exploitation (unauthenticated access) suggests a potential for rapid exploitation if a POC is released. The vulnerability is not currently listed on KEV or EPSS, indicating a low to medium probability of active exploitation at this time. Organizations should prioritize patching to mitigate the risk.
Exploit-Status
EPSS
0.04% (12% Perzentil)
CISA SSVC
The definitive mitigation for CVE-2026-1092 is to upgrade GitLab to version 18.10.3 or later. Prior to upgrading, it's crucial to review GitLab's upgrade documentation and perform a backup of your GitLab instance. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as rate limiting incoming requests to the GitLab API. Web Application Firewalls (WAFs) can be configured to filter out malicious JSON payloads based on known patterns. Monitor GitLab server resource utilization (CPU, memory, network) for signs of unusual activity that might indicate an ongoing attack. After upgrading, confirm the fix by attempting to trigger the vulnerability with a known malicious JSON payload – the server should reject the payload without crashing or becoming unresponsive.
Actualice a GitLab versión 18.8.9 o superior, 18.9.5 o superior, o 18.10.3 o superior para mitigar la vulnerabilidad. La actualización corrige la validación incorrecta de la cantidad especificada en las cargas útiles JSON, previniendo posibles ataques de denegación de servicio.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-1092 is a denial of service (DoS) vulnerability in GitLab CE/EE. It allows an unauthenticated user to cause a service disruption by sending specially crafted JSON payloads that are not properly validated.
You are potentially affected if you are running GitLab CE or EE versions 12.10.0 through 18.10.3, including 18.9 before 18.9.5 and 18.10 before 18.10.3. Versions prior to 12.10.0 are also vulnerable.
Upgrade to GitLab version 18.10.3 or later to resolve this vulnerability. Refer to the official GitLab security advisory for detailed upgrade instructions.
CVSS-Vektor
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.