An attacker can make your GitLab environment unavailable without needing any account or password, using only crafted web requests. For organizations where GitLab hosts source code, runs CI/CD pipelines, or manages software releases, a successful attack halts developer productivity and can delay product deployments. If your GitLab instance is internet-facing and unpatched, you have meaningful exposure to service disruption with no exploitation barrier.
You Are Affected If
You run GitLab CE or EE version 18.5.x, 18.6.x, 18.7.x, 18.8.x, or 18.9.0 through 18.9.6 in production
You run GitLab CE or EE version 18.10.0 through 18.10.5 in production
You run GitLab CE or EE version 18.11.0 through 18.11.2 in production
Your GitLab instance is internet-facing or reachable from untrusted networks without WAF or rate-limiting controls on API endpoints
You have not yet applied GitLab patches 18.9.7, 18.10.6, or 18.11.3
Board Talking Points
A publicly disclosed vulnerability in our GitLab software development platform allows any outside attacker to knock it offline without needing a password or account.
The security team should upgrade affected GitLab instances to patched versions within your standard high-severity patch window, typically 7-14 days; immediate action is warranted for internet-exposed instances.
Without patching, development pipelines and source code repositories remain vulnerable to deliberate disruption, which could delay software releases and affect business commitments.
