CVE-2026-1868
Published: 09 February 2026
Summary
CVE-2026-1868 is a critical-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Gitlab (inferred from references). Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the LLM/Generative AI Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-1868 is a vulnerability in the Duo Workflow Service component of GitLab AI Gateway, caused by insecure template expansion of user-supplied data via crafted Duo Agent Platform Flow definitions. It affects all versions of GitLab AI Gateway from 18.1.6, 18.2.6, 18.3.1 to 18.6.1, 18.7.0, and 18.8.0. The issue corresponds to CWE-1336 (Incorrect Handling of Extremely Large or Infinite Input) and carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
The vulnerability can be exploited by a low-privileged authenticated user over the network with low attack complexity and no user interaction required. Successful exploitation enables denial of service or remote code execution on the AI Gateway itself, with a changed scope leading to high impacts on confidentiality, integrity, and availability.
GitLab has remediated the issue in AI Gateway versions 18.6.2, 18.7.1, and 18.8.1. Additional details are available in the patch release notes at https://about.gitlab.com/releases/2026/02/06/patch-release-gitlab-ai-gateway-18-8-1-released/ and the related work item at https://gitlab.com/gitlab-org/modelops/applied-ml/code-suggestions/ai-assist/-/work_items/1850.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-6917
Vulnerability details
GitLab has remediated a vulnerability in the Duo Workflow Service component of GitLab AI Gateway affecting all versions of the AI Gateway from 18.1.6, 18.2.6, 18.3.1 to 18.6.1, 18.7.0, and 18.8.0 in which AI Gateway was vulnerable to insecure template…
more
expansion of user supplied data via crafted Duo Agent Platform Flow definitions. This vulnerability could be used to cause Denial of Service or gain code execution on the Gateway. This has been fixed in versions 18.6.2, 18.7.1, and 18.8.1 of the GitLab AI Gateway.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Server-side RCE/DoS via unauthenticated template expansion of attacker-controlled input directly matches exploitation of a public-facing application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates insecure template expansion by validating and sanitizing user-supplied Duo Agent Platform Flow definitions to prevent DoS or RCE.
Ensures timely identification, reporting, and remediation of flaws like CVE-2026-1868 through patching affected GitLab AI Gateway versions.
Restricts input size and characteristics of Flow definitions to counter CWE-1336 resource exhaustion leading to DoS.