ZeroPath at Black Hat USA 2026

GitLab CE/EE CVE-2026-1659: Brief Summary of Unauthenticated DoS via CI/CD Job Update API

A short review of CVE-2026-1659, a high severity denial of service vulnerability in GitLab's CI/CD job update API that allows unauthenticated attackers to exhaust resources via crafted requests. Includes patch details and affected version ranges.

CVE Analysis

6 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-13

GitLab CE/EE CVE-2026-1659: Brief Summary of Unauthenticated DoS via CI/CD Job Update API
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A long standing input validation gap in GitLab's CI/CD job update API has been quietly exposing self-managed instances to unauthenticated denial of service attacks since version 9.0. GitLab patched the issue on May 13, 2026, but the vulnerable code path had been present for many years, meaning the population of affected installations is substantial.

CVE-2026-1659 carries a CVSS 3.1 score of 7.5 and requires no authentication, no user interaction, and only low attack complexity to exploit. For organizations running internet facing GitLab instances, this combination of factors makes prompt patching a clear priority.

Technical Information

The vulnerability resides in GitLab's CI/CD job update API, a component that has been present since version 9.0. The root cause is insufficient input validation, classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The application fails to properly restrict the size or amount of resources requested by an actor, allowing specially crafted requests to exhaust system resources and trigger a denial of service state.

The CVSS 3.1 vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. Breaking this down:

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality / Integrity Impact: None
  • Availability Impact: High

The attack flow, based on the advisory details, proceeds as follows:

  1. An attacker identifies a network reachable GitLab instance running any version from 9.0 up to the patched releases.
  2. The attacker sends specially crafted requests to the CI/CD job update API endpoint.
  3. Because the endpoint lacks proper bounds checking and resource allocation constraints, these requests cause unchecked resource consumption on the server.
  4. The result is a denial of service condition that degrades or eliminates availability of the GitLab instance, disrupting CI/CD pipelines and engineering workflows.

The fact that no authentication is required is particularly significant. Any internet facing GitLab instance exposes this API endpoint to anonymous attackers, and the low attack complexity means no specialized conditions or preparation are needed to trigger the vulnerability.

It is worth noting that the specific payload structures and proof of concept details have not been publicly disclosed. The HackerOne report (#3519824) and GitLab's internal issue tracker entry (work item #588201) remain confidential, consistent with GitLab's standard practice of making security issues public 30 days after the patch release.

Patch Information

GitLab addressed CVE-2026-1659 in a coordinated patch release published on May 13, 2026, shipping fixes across three supported release branches: 18.11.3, 18.10.6, and 18.9.7, covering both Community Edition (CE) and Enterprise Edition (EE).

The fix centers on tightening input validation within the CI/CD job update API handler. The patch adds proper bounds checking and resource allocation constraints to the API's request processing logic, directly preventing the unchecked resource consumption that crafted requests were able to trigger.

BranchAffected RangeFixed Version
18.1118.11.0 up to versions before 18.11.318.11.3
18.1018.10.0 up to versions before 18.10.618.10.6
9.0 to 18.99.0.0 up to versions before 18.9.718.9.7

GitLab.com (the SaaS offering) was already updated to the patched version at the time of announcement. GitLab Dedicated customers did not need to take manual action. Self-managed installations require an upgrade to one of the fixed versions listed above.

There are no official workarounds mentioned in GitLab's documentation. The only vendor documented remediation is upgrading.

Security teams should prioritize the rollout based on exposure: internet facing production instances first, followed by internal production and lower environments. Applying these patches will also protect systems against other recently disclosed vulnerabilities included in the same release, including high severity Cross Site Scripting (XSS) flaws.

Affected Systems and Versions

The vulnerability affects all GitLab CE/EE versions from 9.0 onward that have not been updated to one of the fixed releases. Specifically:

  • GitLab CE/EE versions 9.0.0 through 18.9.6 (fixed in 18.9.7)
  • GitLab CE/EE versions 18.10.0 through 18.10.5 (fixed in 18.10.6)
  • GitLab CE/EE versions 18.11.0 through 18.11.2 (fixed in 18.11.3)

The vulnerable component is the CI/CD job update API endpoint. Any self-managed GitLab instance running a version within the affected ranges and reachable over the network is exposed. GitLab.com and GitLab Dedicated instances have already been patched by GitLab.

Vendor Security History

GitLab maintains a mature security program. The company acts as its own CVE Numbering Authority (CNA), giving it direct control over vulnerability disclosure timelines. GitLab has operated a public bug bounty program on HackerOne since February 2016, paying $1,000 for critical or high severity reports at the time of triage and using a public CVSS calculator to determine final bounty amounts.

CVE-2026-1659 was discovered through this program by researcher "a92847865" via HackerOne report #3519824. The May 13, 2026 patch release that addressed this vulnerability also resolved other high severity flaws, including Cross Site Scripting (XSS) vulnerabilities, reflecting GitLab's practice of bundling security fixes into coordinated releases.

GitLab was named a Leader in the 2025 Gartner Magic Quadrant for DevOps Platforms for the third consecutive year, ranking number one in four out of six use cases in the accompanying Critical Capabilities report.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization