Gratis scannen

Deze pagina is nog niet vertaald naar uw taal. We werken eraan — de inhoud wordt voorlopig in het Engels weergegeven.

💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.

MEDIUMCVE-2026-8280CVSS 6.5

CVE-2026-8280: DoS in GitLab 8.3 - 18.11.3

Platform

gitlab

Component

gitlab

Opgelost in

18.11.3

Bekijk op NVD
Opslaan
Wordt vertaald naar uw taal…

CVE-2026-8280 describes a denial-of-service (DoS) vulnerability discovered in GitLab Community Edition (CE) and Enterprise Edition (EE). This flaw allows an authenticated user to trigger excessive memory consumption within the GitLab instance, potentially leading to service instability and unavailability. The vulnerability impacts versions 8.3 up to and including 18.11.3, with a fix available in version 18.11.3.

Impact en Aanvalsscenarioswordt vertaald…

An attacker exploiting CVE-2026-8280 could leverage a crafted input to exhaust GitLab's memory resources. This can manifest as a complete service outage, preventing legitimate users from accessing the platform. The impact is particularly severe in production environments where GitLab is critical for code management and collaboration. While the vulnerability requires authentication, a compromised user account or a user with sufficient privileges could be exploited to cause significant disruption. The memory exhaustion could also indirectly impact other processes running on the same server, potentially affecting related services.

Uitbuitingscontextwordt vertaald…

CVE-2026-8280 was published on May 14, 2026. Its severity is currently assessed as medium (CVSS 6.5). There are no public exploits or active campaigns reported at this time. The vulnerability is not currently listed on KEV or EPSS, indicating a low probability of immediate exploitation. Monitor security advisories and threat intelligence feeds for any changes in the exploitation landscape.

Dreigingsinformatie

Exploit Status

Proof of ConceptOnbekend
CISA KEVNO
InternetblootstellingHoog
Rapporten1 dreigingsrapport

CISA SSVC

Exploitatienone
Automatiseerbaarno
Technische Impactpartial

CVSS-vector

DREIGINGSINFORMATIE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H6.5MEDIUMAttack VectorNetworkHoe de aanvaller het doel bereiktAttack ComplexityLowVereiste omstandigheden om te exploiterenPrivileges RequiredLowVereist authenticatieniveau voor aanvalUser InteractionNoneOf het slachtoffer actie moet ondernemenScopeUnchangedImpact buiten het getroffen onderdeelConfidentialityNoneRisico op blootstelling van gevoelige dataIntegrityNoneRisico op ongeautoriseerde gegevenswijzigingAvailabilityHighRisico op verstoring van dienstennextguardhq.com · CVSS v3.1 Basisscore
Wat betekenen deze metrics?
Attack Vector
Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
Attack Complexity
Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
Privileges Required
Laag — elk geldig gebruikersaccount is voldoende.
User Interaction
Geen — automatische en stille aanval. Slachtoffer doet niets.
Scope
Ongewijzigd — impact beperkt tot het kwetsbare component.
Confidentiality
Geen — geen vertrouwelijkheidsimpact.
Integrity
Geen — geen integriteitsimpact.
Availability
Hoog — volledige crash of uitputting van resources. Totale denial of service.

Getroffen Software

Componentgitlab
LeverancierGitLab
Minimumversie8.3
Maximumversie18.11.3
Opgelost in18.11.3

Zwakheidsclassificatie (CWE)

CWE-770

Tijdlijn

  1. Gereserveerd
  2. Gepubliceerd

Mitigatie en Workaroundswordt vertaald…

The primary mitigation for CVE-2026-8280 is to upgrade GitLab to version 18.11.3 or later. If immediate upgrading is not feasible, consider implementing temporary workarounds such as rate limiting on specific API endpoints or restricting user input sizes. Monitoring GitLab's memory usage is also crucial to detect potential exploitation attempts. Review user permissions and ensure least privilege principles are enforced to limit the potential impact of a compromised account. After upgrading, confirm the fix by attempting to trigger the vulnerable input and verifying that memory consumption remains within acceptable limits.

Hoe te verhelpenwordt vertaald…

Actualice GitLab a la versión 18.9.7 o superior, 18.10.6 o superior, o 18.11.3 o superior para mitigar la vulnerabilidad de denegación de servicio. Esta actualización aborda la falta de validación de entrada que permitía un consumo excesivo de memoria.

Veelgestelde vragenwordt vertaald…

What is CVE-2026-8280 — DoS in GitLab 8.3 - 18.11.3?

CVE-2026-8280 is a denial-of-service vulnerability in GitLab CE/EE versions 8.3 through 18.11.3. An authenticated user can trigger excessive memory consumption, potentially causing service disruption.

Am I affected by CVE-2026-8280 in GitLab 8.3 - 18.11.3?

You are affected if you are running GitLab CE/EE versions 8.3 through 18.11.3. Upgrade to version 18.11.3 or later to mitigate the vulnerability.

How do I fix CVE-2026-8280 in GitLab 8.3 - 18.11.3?

Upgrade GitLab to version 18.11.3 or later. Consider temporary workarounds like rate limiting if immediate upgrading is not possible.

Is CVE-2026-8280 being actively exploited?

Currently, there are no reports of active exploitation or public exploits for CVE-2026-8280, but monitoring is still recommended.

Where can I find the official GitLab advisory for CVE-2026-8280?

Refer to the official GitLab security advisory for CVE-2026-8280 on the GitLab website: [https://gitlab.com/security/advisories/](https://gitlab.com/security/advisories/)

Is jouw project getroffen?

Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.

Gratis scannenCVEs zoeken
livefree scan

Probeer het nu — geen account

Upload een manifest (composer.lock, package-lock.json, WordPress pluginlijst…) of plak uw componentenlijst. U ontvangt direct een kwetsbaarheidsrapport. Een bestand uploaden is slechts het begin: met een account krijgt u continue monitoring, Slack/e-mail alerts, multi-project en white-label rapporten.

Manual scanSlack/email alertsscanZone.capMonitorWhite-label reports

Sleep uw afhankelijkheidsbestand hierheen

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...