Introduction
A recently patched input validation flaw in GitLab's Terraform state lock API allows an unauthenticated remote attacker to trigger a denial of service condition by sending crafted JSON payloads, scoring a CVSS 7.5. What makes this particularly notable is the blast radius: the vulnerable code path has existed in every GitLab CE/EE release since version 12.10, first shipped around early 2020, meaning the flaw sat in the codebase for roughly six years before being identified and fixed.
GitLab serves as a backend for Terraform and OpenTofu state files, coordinating locks to prevent concurrent modifications and state corruption. A denial of service attack against this endpoint can stall infrastructure deployments, disrupt automated pipelines, and block engineering teams from applying critical infrastructure changes.
Technical Information
Root Cause
The vulnerability resides in the Terraform state lock API endpoints within GitLab CE/EE. Under normal operations, locking or unlocking a Terraform state file requires a user to hold the Maintainer or Owner role, authenticating via a private token or a CI job token. The critical flaw in CVE-2026-1092 is that JSON payload parsing occurs before authentication checks are fully enforced, creating a window where unauthenticated requests are processed.
The root cause is classified under CWE-1284: Improper Validation of Specified Quantity in Input. This weakness occurs when a product receives input specifying a quantity (such as size, length, nesting depth, or element count) but fails to validate it correctly. In this case, the Terraform state lock endpoint accepted incoming JSON payloads without adequately constraining quantitative properties of the data before attempting to process them.
Attack Flow
Based on the available information, the exploitation path follows this sequence:
- An attacker identifies a GitLab instance exposed to the network (no authentication required).
- The attacker crafts a malformed or excessively large JSON payload targeting the Terraform state lock API endpoint.
- The attacker sends this payload to the endpoint. Because the JSON parsing logic executes before authentication is enforced, the request is not rejected at the authentication layer.
- The GitLab server attempts to parse and process the oversized or deeply nested JSON structure, consuming excessive CPU, memory, or both.
- Repeated requests amplify the resource exhaustion, degrading or fully disrupting service availability for all users of the GitLab instance.
The key factor that elevates the severity here is the lack of an authentication requirement. Any network actor who can reach the GitLab instance can trigger the condition, which is especially concerning for internet facing deployments.
Patch Information
GitLab addressed CVE-2026-1092 in a coordinated patch release published on April 8, 2026, shipping fixes across three supported branches for both GitLab Community Edition and Enterprise Edition:
| Affected Branch | Vulnerable Versions | Fixed Version |
|---|---|---|
| 18.10 | 18.10 before 18.10.3 | 18.10.3 |
| 18.9 | 18.9 before 18.9.5 | 18.9.5 |
| 12.10 to 18.8 | 12.10 before 18.8.9 | 18.8.9 |
GitLab.com was already updated to the patched version at the time of announcement. Self managed instances require manual upgrade.
The fix introduced stricter validation logic on JSON payloads received by the Terraform state lock endpoint. By enforcing proper limits on the structure and size of accepted input before the API processes locking operations, the patch ensures that maliciously crafted requests are rejected early, before they can exhaust server resources.
The vulnerability was reported by security researcher a92847865 through GitLab's HackerOne bug bounty program. The underlying issue tracker entry (work item #586479) and the original HackerOne report #3487030 remain confidential and will be publicly disclosed 30 days after the patch release. Because of this embargo, the exact code diff and commit level changes are not yet publicly available for review.
As an interim measure while awaiting patch deployment, organizations should consider implementing request size limits at their web application firewalls or reverse proxies, specifically targeting the Terraform state lock endpoints. Monitoring access logs for anomalous traffic patterns against these endpoints is also advisable.
Affected Systems and Versions
All GitLab CE/EE installations running the following versions are affected:
- Version 12.10 through 18.8.8 (fixed in 18.8.9)
- Version 18.9.0 through 18.9.4 (fixed in 18.9.5)
- Version 18.10.0 through 18.10.2 (fixed in 18.10.3)
This means every GitLab release from approximately early 2020 onward carried the vulnerable code path. Both self managed and dedicated instances are affected; GitLab.com (the SaaS offering) was patched at the time of the advisory.
The vulnerable component is specifically the Terraform state lock API, so instances that utilize GitLab as a Terraform or OpenTofu state backend are directly impacted. However, because the denial of service affects server resources broadly, all services hosted on the same GitLab instance could experience degradation.
Vendor Security History
GitLab maintains a highly mature security posture and operates one of the more active bug bounty programs in the industry through HackerOne. The program reports a 98 percent response efficiency with an average time to first response of just 10 hours. To date, GitLab has paid over 6.4 million dollars in total bounties to security researchers, reflecting a strong commitment to identifying and resolving vulnerabilities through responsible disclosure channels.
GitLab was named a Leader in the 2025 Gartner Magic Quadrant for DevOps Platforms for the third consecutive year, ranking first in four out of six use cases. This widespread enterprise adoption underscores why vulnerabilities in GitLab components carry significant organizational risk across the industry.
