CVE-2026-1387
📋 TL;DR
This vulnerability allows authenticated GitLab users to cause Denial of Service by uploading malicious files and repeatedly querying them through GraphQL. It affects GitLab EE versions 15.6 through 18.8.3, with specific patched versions available for different release branches.
💻 Affected Systems
- GitLab EE
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability for all GitLab users due to resource exhaustion from repeated malicious queries.
Likely Case
Degraded performance or temporary service disruption affecting multiple users.
If Mitigated
Minimal impact with proper rate limiting and monitoring in place.
🎯 Exploit Status
Exploitation requires authenticated user credentials but uses simple file upload and query repetition.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 18.6.6, 18.7.4, or 18.8.4
Vendor Advisory: https://about.gitlab.com/releases/2026/02/10/patch-release-gitlab-18-8-4-released/
Restart Required: Yes
Instructions:
1. Backup your GitLab instance. 2. Update to patched version: 18.6.6, 18.7.4, or 18.8.4 depending on your current version. 3. Restart GitLab services. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Rate Limit GraphQL Queries
allImplement rate limiting on GraphQL endpoints to prevent repeated malicious queries
Configure in GitLab application settings or via reverse proxy (nginx/apache) rules
Restrict File Upload Permissions
allTighten file upload permissions to limit which users can upload files
Adjust GitLab project/repository settings to restrict upload capabilities
🧯 If You Can't Patch
- Implement strict rate limiting on GraphQL API endpoints
- Monitor for unusual file upload patterns and repeated GraphQL queries
🔍 How to Verify
Check if Vulnerable:
Check GitLab version via admin interface or command: sudo gitlab-rake gitlab:env:infoCheck Version:
sudo gitlab-rake gitlab:env:info | grep 'GitLab version'Verify Fix Applied:
Confirm version is 18.6.6, 18.7.4, or 18.8.4 or higher📡 Detection & Monitoring
Log Indicators:
- Multiple GraphQL queries to same file in short timeframe
- Unusual file upload patterns from authenticated users
Network Indicators:
- High volume of GraphQL requests
- Increased resource usage on GitLab server
SIEM Query:
source="gitlab" ("GraphQL" AND "file" AND count>100) OR ("upload" AND "malicious" OR "repeated")