Introduction
A long standing input validation gap in GitLab's CI/CD job update API has been quietly exposing self-managed instances to unauthenticated denial of service attacks since version 9.0. GitLab patched the issue on May 13, 2026, but the vulnerable code path had been present for many years, meaning the population of affected installations is substantial.
CVE-2026-1659 carries a CVSS 3.1 score of 7.5 and requires no authentication, no user interaction, and only low attack complexity to exploit. For organizations running internet facing GitLab instances, this combination of factors makes prompt patching a clear priority.
Technical Information
The vulnerability resides in GitLab's CI/CD job update API, a component that has been present since version 9.0. The root cause is insufficient input validation, classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The application fails to properly restrict the size or amount of resources requested by an actor, allowing specially crafted requests to exhaust system resources and trigger a denial of service state.
The CVSS 3.1 vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. Breaking this down:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality / Integrity Impact: None
- Availability Impact: High
The attack flow, based on the advisory details, proceeds as follows:
- An attacker identifies a network reachable GitLab instance running any version from 9.0 up to the patched releases.
- The attacker sends specially crafted requests to the CI/CD job update API endpoint.
- Because the endpoint lacks proper bounds checking and resource allocation constraints, these requests cause unchecked resource consumption on the server.
- The result is a denial of service condition that degrades or eliminates availability of the GitLab instance, disrupting CI/CD pipelines and engineering workflows.
The fact that no authentication is required is particularly significant. Any internet facing GitLab instance exposes this API endpoint to anonymous attackers, and the low attack complexity means no specialized conditions or preparation are needed to trigger the vulnerability.
It is worth noting that the specific payload structures and proof of concept details have not been publicly disclosed. The HackerOne report (#3519824) and GitLab's internal issue tracker entry (work item #588201) remain confidential, consistent with GitLab's standard practice of making security issues public 30 days after the patch release.
Patch Information
GitLab addressed CVE-2026-1659 in a coordinated patch release published on May 13, 2026, shipping fixes across three supported release branches: 18.11.3, 18.10.6, and 18.9.7, covering both Community Edition (CE) and Enterprise Edition (EE).
The fix centers on tightening input validation within the CI/CD job update API handler. The patch adds proper bounds checking and resource allocation constraints to the API's request processing logic, directly preventing the unchecked resource consumption that crafted requests were able to trigger.
| Branch | Affected Range | Fixed Version |
|---|---|---|
| 18.11 | 18.11.0 up to versions before 18.11.3 | 18.11.3 |
| 18.10 | 18.10.0 up to versions before 18.10.6 | 18.10.6 |
| 9.0 to 18.9 | 9.0.0 up to versions before 18.9.7 | 18.9.7 |
GitLab.com (the SaaS offering) was already updated to the patched version at the time of announcement. GitLab Dedicated customers did not need to take manual action. Self-managed installations require an upgrade to one of the fixed versions listed above.
There are no official workarounds mentioned in GitLab's documentation. The only vendor documented remediation is upgrading.
Security teams should prioritize the rollout based on exposure: internet facing production instances first, followed by internal production and lower environments. Applying these patches will also protect systems against other recently disclosed vulnerabilities included in the same release, including high severity Cross Site Scripting (XSS) flaws.
Affected Systems and Versions
The vulnerability affects all GitLab CE/EE versions from 9.0 onward that have not been updated to one of the fixed releases. Specifically:
- GitLab CE/EE versions 9.0.0 through 18.9.6 (fixed in 18.9.7)
- GitLab CE/EE versions 18.10.0 through 18.10.5 (fixed in 18.10.6)
- GitLab CE/EE versions 18.11.0 through 18.11.2 (fixed in 18.11.3)
The vulnerable component is the CI/CD job update API endpoint. Any self-managed GitLab instance running a version within the affected ranges and reachable over the network is exposed. GitLab.com and GitLab Dedicated instances have already been patched by GitLab.
Vendor Security History
GitLab maintains a mature security program. The company acts as its own CVE Numbering Authority (CNA), giving it direct control over vulnerability disclosure timelines. GitLab has operated a public bug bounty program on HackerOne since February 2016, paying $1,000 for critical or high severity reports at the time of triage and using a public CVSS calculator to determine final bounty amounts.
CVE-2026-1659 was discovered through this program by researcher "a92847865" via HackerOne report #3519824. The May 13, 2026 patch release that addressed this vulnerability also resolved other high severity flaws, including Cross Site Scripting (XSS) vulnerabilities, reflecting GitLab's practice of bundling security fixes into coordinated releases.
GitLab was named a Leader in the 2025 Gartner Magic Quadrant for DevOps Platforms for the third consecutive year, ranking number one in four out of six use cases in the accompanying Critical Capabilities report.



