How is CVE-2026-7250 exploited?

Network reachability (required): The attacker must be able to reach the GitLab API over the network; any internet-exposed or internally networked GitLab instance is in scope. Authentication (not-required): No account or session token is needed; the malformed request can be sent anonymously to the API middleware. Victim interaction (not-required): The attack is entirely server-side and requires no action from any GitLab user or administrator. Attack complexity (info): Exploitation is reliable and condition-free; no race condition, memory layout dependency, or special environment state is required.

What is the impact of CVE-2026-7250?

Crashes or hangs the GitLab API service, making repositories, CI/CD pipelines, and the web interface unavailable to all users. Sustained or repeated requests can prevent automated systems and developers from pushing code, triggering pipelines, or accessing project data. Service disruption affects all projects and namespaces hosted on the targeted GitLab instance for the duration of the attack.

Back to search

HIGHCVE-2026-7250Published 2026-06-11Modified 2026-06-11CNA GitLab

CVE-2026-7250: Allocation of Resources Without Limits or Throttling in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an unauthenticated user to cause denial of service due to improper input validation in the API request parsing middleware.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: 18.10.8
Affected Products: 1

HarborGuard Analysis

Synopsis

An allocation-without-limits vulnerability in GitLab CE/EE allows an unauthenticated remote attacker to exhaust server resources through the API request parsing middleware. The flaw is reachable over the network with no credentials required and no user interaction needed, making it trivially exploitable from the open internet. Successful exploitation crashes or hangs the GitLab service, denying access to all users. A patched-image rebuild at versions 18.10.8, 18.11.5, or 19.0.2 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-7250 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built GitLab images. Coverage extends to any image layer that carries an affected GitLab CE/EE version in the 12.10 through pre-fix range.

Available

Triage

Triage is available with CVSS 7.5 HIGH scoring applied automatically, weighted against each customer environment's configured compliance policy to surface urgency appropriately. Findings are routed to the designated inbox or ticket queue for the relevant team within each customer organization.

Available

Patch

A patched-image rebuild at the fix versions (18.10.8, 18.11.5, or 19.0.2, matched to the customer's tracked release line) becomes available on HarborGuard as soon as the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard triggers the rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the GitLab API over the network; any internet-exposed or internally networked GitLab instance is in scope.
AuthenticationNot required
No account or session token is needed; the malformed request can be sent anonymously to the API middleware.
Victim interactionNot required
The attack is entirely server-side and requires no action from any GitLab user or administrator.
Attack complexityDetail
Exploitation is reliable and condition-free; no race condition, memory layout dependency, or special environment state is required.

Blast Radius

Crashes or hangs the GitLab API service, making repositories, CI/CD pipelines, and the web interface unavailable to all users.
Sustained or repeated requests can prevent automated systems and developers from pushing code, triggering pipelines, or accessing project data.
Service disruption affects all projects and namespaces hosted on the targeted GitLab instance for the duration of the attack.

How HarborGuard Handles This

Available on HarborGuard: images running GitLab CE/EE versions from 12.10 up to the fix boundaries are flagged HIGH immediately on CVE ingestion. For customers who opt into auto-remediation, HarborGuard rebuilds the image at the appropriate fix version (18.10.8, 18.11.5, or 19.0.2), runs regression tests, and opens a PR against affected workloads; for HIGH-severity issues, median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is queued and prioritized according to the configured severity threshold. Until a patched image is deployed, network-policy isolation limiting API exposure to known-good CIDR ranges and rate-limiting at the ingress or load-balancer layer are available as compensating controls to reduce the attack surface.

See how HarborGuard automates this

Fix available

18.10.818.11.519.0.2

Affected packages

GitLab / GitLab
< 18.10.8 (from 12.10) · < 18.11.5 (from 18.11) · < 19.0.2 (from 19.0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available