MEDIUMCVE-2026-1184CVSS 6.5

CVE-2026-1184: Insecure Deserialization in GitLab

Plattform

gitlab

Komponente

gitlab

Behoben in

18.11.3

Auf NVD ansehen

Speichern

CVE-2026-1184 describes an Insecure Deserialization vulnerability discovered in GitLab EE. This flaw allows an unauthenticated user to induce a denial of service (DoS) condition by uploading a specially crafted file. The vulnerability affects GitLab EE versions ranging from 11.9.0 through 18.11.3, with a fix available in version 18.11.3. Prompt patching is recommended to prevent potential service disruptions.

Auswirkungen und Angriffsszenarien

Successful exploitation of CVE-2026-1184 can lead to a denial of service, effectively rendering GitLab EE unavailable to legitimate users. An attacker could repeatedly upload malicious files, overwhelming the system's resources and causing it to crash or become unresponsive. The lack of authentication required for exploitation significantly broadens the attack surface, as any external user can potentially trigger the DoS. While the vulnerability doesn't directly expose sensitive data, the disruption of service can impact critical workflows and potentially lead to secondary consequences depending on GitLab's role within an organization.

Ausnutzungskontext

CVE-2026-1184 was published on May 14, 2026. Its severity is rated as medium (CVSS 6.5). No public proof-of-concept (POC) code has been publicly released as of this writing. The vulnerability is not currently listed on CISA’s Known Exploited Vulnerabilities (KEV) catalog, and there is no indication of active exploitation campaigns. Monitor security advisories and threat intelligence feeds for any updates.

Bedrohungsanalyse

Exploit-Status

Proof of ConceptUnbekannt

CISA KEVNO

Internet-ExponierungHoch

CISA SSVC

Ausnutzungnone

Automatisierbarno

Technische Auswirkungpartial

CVSS-Vektor

Was bedeuten diese Metriken?

Attack Vector: Netzwerk — aus der Ferne über das Internet ausnutzbar. Kein physischer oder lokaler Zugriff erforderlich.
Attack Complexity: Niedrig — keine besonderen Bedingungen erforderlich. Zuverlässig ausnutzbar.
Privileges Required: Niedrig — jedes gültige Benutzerkonto ist ausreichend.
User Interaction: Keine — automatischer und lautloser Angriff. Das Opfer tut nichts.
Scope: Unverändert — Auswirkung auf das anfällige Komponente beschränkt.
Confidentiality: Keine — kein Vertraulichkeitseinfluss.
Integrity: Keine — kein Integritätseinfluss.
Availability: Hoch — vollständiger Absturz oder Ressourcenerschöpfung. Totaler Denial of Service.

Betroffene Software

Komponentegitlab

HerstellerGitLab

Mindestversion11.9.0

Höchstversion18.11.3

Behoben in18.11.3

Schwachstellen-Klassifikation (CWE)

CWE-502

Zeitleiste

Reserviert2026-01-19
Veröffentlicht2026-05-14

Mitigation und Workarounds

The primary mitigation for CVE-2026-1184 is to upgrade GitLab EE to version 18.11.3 or later. If immediate upgrading is not feasible, consider implementing temporary workarounds such as strict file upload size limits and enhanced input validation on the server-side. While not a complete solution, these measures can reduce the likelihood of successful exploitation. Review GitLab's file upload policies and ensure they are enforced consistently. After upgrading, confirm the fix by attempting to upload a known malicious file (in a test environment) and verifying that it is rejected or handled without causing a DoS.

So behebenwird übersetzt…

Actualice GitLab a la versión 18.9.7 o superior, 18.10.6 o superior, o 18.11.3 o superior para mitigar la vulnerabilidad de deserialización de datos no confiables. Esta actualización aborda la validación incorrecta de archivos cargados, previniendo posibles ataques de denegación de servicio.

Häufig gestellte Fragen

What is CVE-2026-1184 — Insecure Deserialization in GitLab?

CVE-2026-1184 is a medium-severity vulnerability in GitLab EE allowing unauthenticated users to cause a denial of service by uploading a crafted file due to improper validation. It affects versions 11.9.0–18.11.3.

Am I affected by CVE-2026-1184 in GitLab?

You are affected if you are running GitLab EE versions 11.9.0 through 18.11.3. Versions prior to 18.11.3 are vulnerable to denial of service attacks.

How do I fix CVE-2026-1184 in GitLab?

Upgrade GitLab EE to version 18.11.3 or later to resolve the vulnerability. Consider temporary workarounds like file size limits if immediate upgrading is not possible.

Is CVE-2026-1184 being actively exploited?

As of the current assessment, there is no public evidence of CVE-2026-1184 being actively exploited in the wild. However, continuous monitoring is recommended.

Where can I find the official GitLab advisory for CVE-2026-1184?

Refer to the official GitLab security advisory for CVE-2026-1184 on the GitLab website: [https://gitlab.com/security/advisories/](https://gitlab.com/security/advisories/)

Ist dein Projekt betroffen?

Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.

Kostenlos scannen CVEs suchen

liveKostenloser Scan

Jetzt testen — kein Konto

Laden Sie ein Manifest hoch (composer.lock, package-lock.json, WordPress Plugin-Liste…) oder fügen Sie Ihre Komponentenliste ein. Sie erhalten sofort einen Schwachstellenbericht. Das Hochladen einer Datei ist nur der Anfang: Mit einem Konto erhalten Sie kontinuierliche Überwachung, Slack/email-Benachrichtigungen, Multi-Projekt- und White-Label-Berichte.

Manueller ScanSlack/E-Mail-AlertsKontinuierliche ÜberwachungWhite-Label-Berichte

Abhängigkeitsdatei hier ablegen

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...

Dateien durchsuchen