CVE-2026-1101
GraphQL Injection in GitLab EE Causes Denial of Service
Publication date: 2026-04-08
Last updated on: 2026-04-14
Assigner: GitLab Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gitlab | gitlab | From 18.2 (inc) to 18.8.9 (exc) |
| gitlab | gitlab | From 18.9.0 (inc) to 18.9.5 (exc) |
| gitlab | gitlab | From 18.10.0 (inc) to 18.10.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1284 | The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in GitLab Enterprise Edition affects versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3. It allows an authenticated user to cause a denial of service (DoS) on the GitLab instance. The issue arises due to improper input validation in GraphQL queries.
How can this vulnerability impact me? :
An attacker who is authenticated on the GitLab instance could exploit this vulnerability to cause a denial of service, making the GitLab service unavailable or unstable. This could disrupt development workflows and access to repositories and related services.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade your GitLab EE instance to a fixed version. Specifically, update to version 18.8.9 or later if you are on the 18.8 branch, 18.9.5 or later if on the 18.9 branch, or 18.10.3 or later if on the 18.10 branch.