GitLab GraphQL Recursion DoS (CE/EE) <18.9.2: CVE-2026-1069 March 2026

Uncontrolled Recursion in GitLab
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a denial of service by sending specially crafted GraphQL requests due to uncontrolled recursion under certain circumstances.

Vulnerability Analysis

CVE-2026-1069 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Attack Vector:

NETWORK

Attack Complexity:

LOW

Privileges Required:

NONE

User Interaction:

NONE

Scope:

UNCHANGED

Confidentiality Impact:

NONE

Integrity Impact:

NONE

Availability Impact:

HIGH

Weakness Type

What is a Stack Exhaustion Vulnerability?

The product does not properly control the amount of recursion which takes place, consuming excessive resources, such as allocated memory or the program stack.

CVE-2026-1069 has been classified to as a Stack Exhaustion vulnerability or weakness.

Products Associated with CVE-2026-1069

Want to know whenever a new CVE is published for GitLab? stack.watch will email you.

GitLab GraphQL Recursion DoS (CE/EE) <18.9.2
CVE-2026-1069 Published on March 11, 2026

Vulnerability Analysis

Weakness Type

What is a Stack Exhaustion Vulnerability?

Products Associated with CVE-2026-1069

Affected Versions

GitLab GraphQL Recursion DoS (CE/EE) <18.9.2CVE-2026-1069 Published on March 11, 2026

Vulnerability Analysis

Weakness Type

What is a Stack Exhaustion Vulnerability?

Products Associated with CVE-2026-1069

Affected Versions

GitLab GraphQL Recursion DoS (CE/EE) <18.9.2
CVE-2026-1069 Published on March 11, 2026