CVE-2026-1092
Published: 08 April 2026
Summary
CVE-2026-1092 is a high-severity Improper Validation of Specified Quantity in Input (CWE-1284) vulnerability in Gitlab Gitlab. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the root cause by enforcing validation of JSON payloads to prevent resource exhaustion from improper input handling.
Provides specific protection against denial-of-service attacks, including those causing resource exhaustion via specially crafted unauthenticated JSON payloads.
Mandates timely flaw remediation through patching GitLab to versions like 18.10.3, eliminating the improper input validation vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote exploitation of public-facing GitLab app via crafted JSON input directly enables T1190; resulting resource exhaustion and service crash maps to T1499.004 Application or System Exploitation.
NVD Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.10 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an unauthenticated user to cause denial of service due to improper input validation of…
more
JSON payloads.
Deeper analysisAI
CVE-2026-1092 is a denial-of-service vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE) stemming from improper input validation of JSON payloads (CWE-1284). It affects all versions from 12.10 prior to 18.8.9, 18.9 prior to 18.9.5, and 18.10 prior to 18.10.3. The issue has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its high availability impact with no confidentiality or integrity effects.
An unauthenticated attacker can exploit this vulnerability remotely over the network with low attack complexity and no user interaction or privileges required. By sending a specially crafted JSON payload, the attacker triggers improper validation, leading to resource exhaustion and denial of service on the affected GitLab instance.
GitLab has remediated the vulnerability through security patch releases, including GitLab 18.10.3. Administrators should upgrade to patched versions such as 18.8.9, 18.9.5, or 18.10.3 or later. Additional details are available in the GitLab patch release notes at https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/, the associated work item at https://gitlab.com/gitlab-org/gitlab/-/work_items/586479, and the HackerOne report at https://hackerone.com/reports/3487030.
Details
- CWE(s)