Gratis scannen

Deze pagina is nog niet vertaald naar uw taal. We werken eraan — de inhoud wordt voorlopig in het Engels weergegeven.

💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.

MEDIUMCVE-2026-1184CVSS 6.5

CVE-2026-1184: Insecure Deserialization in GitLab

Platform

gitlab

Component

gitlab

Opgelost in

18.11.3

Bekijk op NVD
Opslaan
Wordt vertaald naar uw taal…

CVE-2026-1184 addresses an Insecure Deserialization vulnerability discovered in GitLab EE. This flaw allows an unauthenticated user to induce a denial of service (DoS) by uploading a specially crafted file. The vulnerability impacts GitLab EE versions ranging from 11.9.0 through 18.11.3, and is resolved in version 18.11.3.

Impact en Aanvalsscenarioswordt vertaald…

Successful exploitation of CVE-2026-1184 allows an attacker to disrupt GitLab services, rendering them unavailable to legitimate users. The attacker does not require authentication, significantly broadening the potential attack surface. The denial of service can manifest as system instability, performance degradation, or complete service outage. While the vulnerability doesn't directly lead to data exfiltration or code execution, the disruption of GitLab services can severely impact development workflows and project timelines. The impact is amplified in environments where GitLab is a critical component of the software development lifecycle.

Uitbuitingscontextwordt vertaald…

CVE-2026-1184 was published on 2026-05-14. Its severity is currently assessed as Medium (CVSS 6.5). No public proof-of-concept (POC) code has been publicly released as of this writing. There are no indications of active exploitation campaigns targeting this vulnerability. The vulnerability is not currently listed on CISA Known Exploited Vulnerabilities (KEV) catalog.

Dreigingsinformatie

Exploit Status

Proof of ConceptOnbekend
CISA KEVNO
InternetblootstellingHoog

CVSS-vector

DREIGINGSINFORMATIE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H6.5MEDIUMAttack VectorNetworkHoe de aanvaller het doel bereiktAttack ComplexityLowVereiste omstandigheden om te exploiterenPrivileges RequiredLowVereist authenticatieniveau voor aanvalUser InteractionNoneOf het slachtoffer actie moet ondernemenScopeUnchangedImpact buiten het getroffen onderdeelConfidentialityNoneRisico op blootstelling van gevoelige dataIntegrityNoneRisico op ongeautoriseerde gegevenswijzigingAvailabilityHighRisico op verstoring van dienstennextguardhq.com · CVSS v3.1 Basisscore
Wat betekenen deze metrics?
Attack Vector
Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
Attack Complexity
Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
Privileges Required
Laag — elk geldig gebruikersaccount is voldoende.
User Interaction
Geen — automatische en stille aanval. Slachtoffer doet niets.
Scope
Ongewijzigd — impact beperkt tot het kwetsbare component.
Confidentiality
Geen — geen vertrouwelijkheidsimpact.
Integrity
Geen — geen integriteitsimpact.
Availability
Hoog — volledige crash of uitputting van resources. Totale denial of service.

Getroffen Software

Componentgitlab
LeverancierGitLab
Minimumversie11.9.0
Maximumversie18.11.3
Opgelost in18.11.3

Zwakheidsclassificatie (CWE)

CWE-502

Tijdlijn

  1. Gereserveerd
  2. Gepubliceerd

Mitigatie en Workaroundswordt vertaald…

The primary mitigation for CVE-2026-1184 is to upgrade GitLab EE to version 18.11.3 or later. If immediate upgrade is not feasible, consider implementing temporary workarounds such as restricting file uploads from unauthenticated users or implementing stricter file validation rules. Review GitLab's file upload policies and ensure they are enforced. Monitor GitLab logs for suspicious file upload activity. After upgrading, verify the fix by attempting a file upload with a known malicious payload (in a controlled environment) to confirm the vulnerability is no longer exploitable.

Hoe te verhelpenwordt vertaald…

Actualice GitLab a la versión 18.9.7 o superior, 18.10.6 o superior, o 18.11.3 o superior para mitigar la vulnerabilidad de deserialización de datos no confiables. Esta actualización corrige la validación incorrecta de archivos cargados, previniendo posibles ataques de denegación de servicio.

Veelgestelde vragenwordt vertaald…

What is CVE-2026-1184 — Insecure Deserialization in GitLab?

CVE-2026-1184 is a Medium severity vulnerability in GitLab EE allowing unauthenticated users to trigger a denial of service by uploading a crafted file due to improper validation. It affects versions 11.9.0–18.11.3.

Am I affected by CVE-2026-1184 in GitLab?

You are affected if you are running GitLab EE versions 11.9.0 through 18.11.3. Versions prior to 18.11.3 are vulnerable to denial of service attacks.

How do I fix CVE-2026-1184 in GitLab?

Upgrade GitLab EE to version 18.11.3 or later to resolve the vulnerability. Consider temporary workarounds like restricting unauthenticated file uploads if immediate upgrade is not possible.

Is CVE-2026-1184 being actively exploited?

As of the current assessment, there are no indications of active exploitation campaigns targeting CVE-2026-1184.

Where can I find the official GitLab advisory for CVE-2026-1184?

Refer to the official GitLab security advisory for CVE-2026-1184 on the GitLab website: [https://gitlab.com/security/advisories/](https://gitlab.com/security/advisories/)

Is jouw project getroffen?

Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.

Gratis scannenCVEs zoeken
livefree scan

Probeer het nu — geen account

Upload een manifest (composer.lock, package-lock.json, WordPress pluginlijst…) of plak uw componentenlijst. U ontvangt direct een kwetsbaarheidsrapport. Een bestand uploaden is slechts het begin: met een account krijgt u continue monitoring, Slack/e-mail alerts, multi-project en white-label rapporten.

Manual scanSlack/email alertsscanZone.capMonitorWhite-label reports

Sleep uw afhankelijkheidsbestand hierheen

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...