Cyber Resilience

CVE-2026-1868

Critical

Published: 09 February 2026

Published
09 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0050 38.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-1868 is a critical-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Gitlab (inferred from references). Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the LLM/Generative AI Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-1868 is a vulnerability in the Duo Workflow Service component of GitLab AI Gateway, caused by insecure template expansion of user-supplied data via crafted Duo Agent Platform Flow definitions. It affects all versions of GitLab AI Gateway from 18.1.6, 18.2.6, 18.3.1 to 18.6.1, 18.7.0, and 18.8.0. The issue corresponds to CWE-1336 (Incorrect Handling of Extremely Large or Infinite Input) and carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

The vulnerability can be exploited by a low-privileged authenticated user over the network with low attack complexity and no user interaction required. Successful exploitation enables denial of service or remote code execution on the AI Gateway itself, with a changed scope leading to high impacts on confidentiality, integrity, and availability.

GitLab has remediated the issue in AI Gateway versions 18.6.2, 18.7.1, and 18.8.1. Additional details are available in the patch release notes at https://about.gitlab.com/releases/2026/02/06/patch-release-gitlab-ai-gateway-18-8-1-released/ and the related work item at https://gitlab.com/gitlab-org/modelops/applied-ml/code-suggestions/ai-assist/-/work_items/1850.

EU & UK References

Vulnerability details

GitLab has remediated a vulnerability in the Duo Workflow Service component of GitLab AI Gateway affecting all versions of the AI Gateway from 18.1.6, 18.2.6, 18.3.1 to 18.6.1, 18.7.0, and 18.8.0 in which AI Gateway was vulnerable to insecure template…

more

expansion of user supplied data via crafted Duo Agent Platform Flow definitions. This vulnerability could be used to cause Denial of Service or gain code execution on the Gateway. This has been fixed in versions 18.6.2, 18.7.1, and 18.8.1 of the GitLab AI Gateway.

CWE(s)

AI Security AnalysisAI

AI Category
Enterprise AI Assistants
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Server-side RCE/DoS via unauthenticated template expansion of attacker-controlled input directly matches exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-53909Shared CWE-1336
CVE-2026-34587Shared CWE-1336
CVE-2022-23851Shared CWE-1336
CVE-2025-49828Shared CWE-1336
CVE-2026-21448Shared CWE-1336
CVE-2026-9558Shared CWE-1336
CVE-2025-59340Shared CWE-1336
CVE-2026-33654Shared CWE-1336
CVE-2026-28784Shared CWE-1336
CVE-2025-64087Shared CWE-1336

Affected Assets

Gitlab
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates insecure template expansion by validating and sanitizing user-supplied Duo Agent Platform Flow definitions to prevent DoS or RCE.

prevent

Ensures timely identification, reporting, and remediation of flaws like CVE-2026-1868 through patching affected GitLab AI Gateway versions.

prevent

Restricts input size and characteristics of Flow definitions to counter CWE-1336 resource exhaustion leading to DoS.

References