CVE-2026-3988
Published: 25 March 2026
Summary
CVE-2026-3988 is a high-severity Inefficient Algorithmic Complexity (CWE-407) vulnerability in Gitlab Gitlab. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 44.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the root cause of improper input validation in GraphQL request processing by enforcing validation of all inputs to prevent specially crafted requests from causing denial of service.
Provides denial-of-service protection mechanisms, such as rate limiting or resource throttling, to limit the impact of unauthenticated crafted GraphQL requests exhausting system resources.
Ensures timely flaw remediation by patching GitLab to vulnerable versions prior to 18.8.7, 18.9.3, or 18.10.1, eliminating the specific input validation vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes remote unauthenticated exploitation of a public-facing web app (GitLab GraphQL endpoint) via crafted requests that crash the application, directly enabling T1499.004 (Application or System Exploitation) for endpoint DoS.
NVD Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.5 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an unauthenticated user to cause a denial of service by making the GitLab instance…
more
unresponsive due to improper input validation in GraphQL request processing.
Deeper analysisAI
CVE-2026-3988 is a denial-of-service vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE), stemming from improper input validation in GraphQL request processing. It affects all versions from 18.5 prior to 18.8.7, 18.9 prior to 18.9.3, and 18.10 prior to 18.10.1. The issue, classified under CWE-407 (Inappropriate Resource Shutdown or Modification), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its high-impact availability disruption potential over the network without authentication.
An unauthenticated attacker can exploit this vulnerability by sending specially crafted GraphQL requests, causing the GitLab instance to become unresponsive and effectively denying service to legitimate users. No privileges, user interaction, or special conditions are required, making it accessible to remote adversaries scanning for vulnerable instances.
GitLab has released patches addressing this issue, including version 18.10.1 as detailed in their patch release notes. Security practitioners should upgrade affected GitLab CE/EE installations to 18.8.7, 18.9.3, or 18.10.1 or later. Additional details are available in the GitLab work item and the originating HackerOne report.
Details
- CWE(s)