Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
GitLab: Unauthenticated User Can Crash Merge Request Endpoint
CVE-2026-1388
Summary
All affected versions of GitLab Community Edition and Enterprise Edition have a security issue that could allow an attacker to crash the system by sending a specially crafted request to the merge request endpoint. This could potentially cause downtime and disrupt service. Update to the latest version to fix the issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| gitlab | gitlab | > 9.2.0 , <= 18.7.5 | – |
| gitlab | gitlab | > 9.2.0 , <= 18.7.5 | – |
| gitlab | gitlab | > 18.8.0 , <= 18.8.5 | – |
| gitlab | gitlab | > 18.8.0 , <= 18.8.5 | – |
| gitlab | gitlab | 18.9.0 | – |
| gitlab | gitlab | 18.9.0 | – |
Original title
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an unauthenticated user to cause reg...
Original description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an unauthenticated user to cause regular expression denial of service by sending specially crafted input to a merge request endpoint under certain conditions.
nvd CVSS3.1
7.5
Vulnerability type
CWE-1333
Inefficient Regular Expression Complexity (ReDoS)
- https://about.gitlab.com/releases/2026/02/25/patch-release-gitlab-18-9-1-release... Release Notes Vendor Advisory
- https://gitlab.com/gitlab-org/gitlab/-/issues/587560 Broken Link
- https://hackerone.com/reports/3482893 Permissions Required
Published: 25 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026