{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1069", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "state": "PUBLISHED", "assignerShortName": "GitLab", "dateReserved": "2026-01-16T20:04:12.779Z", "datePublished": "2026-03-11T16:05:10.674Z", "dateUpdated": "2026-03-11T19:39:56.098Z"}, "containers": {"cna": {"title": "Uncontrolled Recursion in GitLab", "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a denial of service by sending specially crafted GraphQL requests due to uncontrolled recursion under certain circumstances."}], "affected": [{"vendor": "GitLab", "product": "GitLab", "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", "cpes": ["cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"], "versions": [{"version": "18.9", "status": "affected", "lessThan": "18.9.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-674: Uncontrolled Recursion", "cweId": "CWE-674", "type": "CWE"}]}], "references": [{"url": "https://hackerone.com/reports/3483687", "name": "HackerOne Bug Bounty Report #3483687", "tags": ["technical-description", "exploit", "permissions-required"]}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/586474"}, {"url": "https://about.gitlab.com/releases/2026/03/11/patch-release-gitlab-18-9-2-released/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "solutions": [{"lang": "en", "value": "Upgrade to versions 18.7.6, 18.8.6, 18.9.2 or above."}], "credits": [{"lang": "en", "value": "Thanks [a92847865](https://hackerone.com/a92847865) for reporting this vulnerability through our HackerOne bug bounty program", "type": "finder"}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2026-03-11T16:05:10.674Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T19:39:21.302747Z", "id": "CVE-2026-1069", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T19:39:56.098Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1069", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T19:39:21.302747Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T19:39:50.912Z"}}], "cna": {"title": "Uncontrolled Recursion in GitLab", "credits": [{"lang": "en", "type": "finder", "value": "Thanks [a92847865](https://hackerone.com/a92847865) for reporting this vulnerability through our HackerOne bug bounty program"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"], "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", "vendor": "GitLab", "product": "GitLab", "versions": [{"status": "affected", "version": "18.9", "lessThan": "18.9.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade to versions 18.7.6, 18.8.6, 18.9.2 or above."}], "references": [{"url": "https://hackerone.com/reports/3483687", "name": "HackerOne Bug Bounty Report #3483687", "tags": ["technical-description", "exploit", "permissions-required"]}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/586474"}, {"url": "https://about.gitlab.com/releases/2026/03/11/patch-release-gitlab-18-9-2-released/"}], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a denial of service by sending specially crafted GraphQL requests due to uncontrolled recursion under certain circumstances."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-674", "description": "CWE-674: Uncontrolled Recursion"}]}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2026-03-11T16:05:10.674Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1069", "state": "PUBLISHED", "dateUpdated": "2026-03-11T19:39:56.098Z", "dateReserved": "2026-01-16T20:04:12.779Z", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "datePublished": "2026-03-11T16:05:10.674Z", "assignerShortName": "GitLab"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "matchCriteriaId": "44EAE9A6-5ED9-42F6-9BBD-0E2F8072F0D9", "versionEndExcluding": "18.9.2", "versionStartIncluding": "18.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "12A2DEC0-C471-4C98-960C-405209403AB9", "versionEndExcluding": "18.9.2", "versionStartIncluding": "18.9.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a denial of service by sending specially crafted GraphQL requests due to uncontrolled recursion under certain circumstances."}], "id": "CVE-2026-1069", "lastModified": "2026-03-13T12:35:38.543", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "cve@gitlab.com", "type": "Secondary"}]}, "published": "2026-03-11T16:16:22.170", "references": [{"source": "cve@gitlab.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://about.gitlab.com/releases/2026/03/11/patch-release-gitlab-18-9-2-released/"}, {"source": "cve@gitlab.com", "tags": ["Broken Link"], "url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/586474"}, {"source": "cve@gitlab.com", "tags": ["Permissions Required"], "url": "https://hackerone.com/reports/3483687"}], "sourceIdentifier": "cve@gitlab.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-674"}], "source": "cve@gitlab.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[18.9,18.9.2)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "GitLab", "source": "cna", "vendor": "GitLab"}, "product": "gitlab", "vendor": "gitlab"}], "analysis": {"en": {"generated_at": "2026-03-17T15:28:51.386402+00:00", "value": {"mitigation_remediation": ["Upgrade to GitLab version 18.7.6, 18.8.6, 18.9.2 or later."], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The issue affects GitLab Community Edition and Enterprise Edition installations running any 18.9 release older than 18.9.2. All affected deployments are covered under the GitLab:GitLab vendor product line as defined in the CPE list.", "description_and_impact": "The vulnerability is an uncontrolled recursion in GitLab\u2019s GraphQL processing that can be triggered by an unauthenticated user. By sending specially crafted GraphQL requests, an attacker can cause excessive CPU and memory usage, potentially exhausting system resources and resulting in service interruption. This issue, classified as CWE-674, is a denial of service vulnerability.", "risk_and_exploitability": "The CVSS base score of 7.5 classifies this as a high severity vulnerability. The EPSS score is reported as less than 1%, indicating a low probability of exploitation in the wild. The vulnerability is not listed in CISA\u2019s KEV catalog. Attackers can trigger the denial of service remotely via unauthenticated GraphQL requests as described in the vendor\u2019s advisory."}}}}, "created": "2026-03-12T09:58:11.696960+00:00", "updated": "2026-03-20T15:30:46.501135+00:00", "vendors": ["gitlab", "gitlab$PRODUCT$gitlab"]}