Cyber Resilience

CVE-2026-3988

HighDDoS

Published: 25 March 2026

Published
25 March 2026
Modified
26 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0024 47.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3988 is a high-severity Inefficient Algorithmic Complexity (CWE-407) vulnerability in Gitlab Gitlab. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 47.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-3988 is a denial-of-service vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE), stemming from improper input validation in GraphQL request processing. It affects all versions from 18.5 prior to 18.8.7, 18.9 prior to 18.9.3, and 18.10 prior to 18.10.1. The issue, classified under CWE-407 (Inappropriate Resource Shutdown or Modification), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its high-impact availability disruption potential over the network without authentication.

An unauthenticated attacker can exploit this vulnerability by sending specially crafted GraphQL requests, causing the GitLab instance to become unresponsive and effectively denying service to legitimate users. No privileges, user interaction, or special conditions are required, making it accessible to remote adversaries scanning for vulnerable instances.

GitLab has released patches addressing this issue, including version 18.10.1 as detailed in their patch release notes. Security practitioners should upgrade affected GitLab CE/EE installations to 18.8.7, 18.9.3, or 18.10.1 or later. Additional details are available in the GitLab work item and the originating HackerOne report.

EU & UK References

Vulnerability details

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.5 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an unauthenticated user to cause a denial of service by making the GitLab instance…

more

unresponsive due to improper input validation in GraphQL request processing.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The CVE describes remote unauthenticated exploitation of a public-facing web app (GitLab GraphQL endpoint) via crafted requests that crash the application, directly enabling T1499.004 (Application or System Exploitation) for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-12664Same product: Gitlab Gitlab
CVE-2026-0958Same product: Gitlab Gitlab
CVE-2025-14511Same product: Gitlab Gitlab
CVE-2026-1388Same product: Gitlab Gitlab
CVE-2024-9631Same product: Gitlab Gitlab
CVE-2026-1725Same product: Gitlab Gitlab
CVE-2024-2878Same product: Gitlab Gitlab
CVE-2025-1257Same product: Gitlab Gitlab
CVE-2025-13928Same product: Gitlab Gitlab
CVE-2026-1458Same product: Gitlab Gitlab

Affected Assets

gitlab
gitlab
18.10.0 · 18.5.0 — 18.8.7 · 18.5.0 — 18.8.7 · 18.9.0 — 18.9.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the root cause of improper input validation in GraphQL request processing by enforcing validation of all inputs to prevent specially crafted requests from causing denial of service.

prevent

Provides denial-of-service protection mechanisms, such as rate limiting or resource throttling, to limit the impact of unauthenticated crafted GraphQL requests exhausting system resources.

prevent

Ensures timely flaw remediation by patching GitLab to vulnerable versions prior to 18.8.7, 18.9.3, or 18.10.1, eliminating the specific input validation vulnerability.

References