CVE-2026-1388

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-1388

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-1388.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-1388

Aliases

BIT-gitlab-2026-1388

Downstream

UBUNTU-CVE-2026-1388

Published

2026-02-25T20:05:05.289Z

Modified

2026-03-02T09:41:18.798243Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Inefficient Regular Expression Complexity in GitLab

Details

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an unauthenticated user to cause regular expression denial of service by sending specially crafted input to a merge request endpoint under certain conditions.

Database specific

{
    "cwe_ids": [
        "CWE-1333"
    ],
    "cna_assigner": "GitLab",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/1xxx/CVE-2026-1388.json"
}

References

Affected packages

Git / gitlab.com/gitlab-org/gitlab

Affected ranges

Type

GIT

Repo

https://gitlab.com/gitlab-org/gitlab

Events

Introduced

4784d7896d755f282c6c629d236a4583ae45842b

Fixed

f70152f12046139e8d5b1652c185af8af63ebca3

Database specific

{
    "versions": [
        {
            "introduced": "9.2"
        },
        {
            "fixed": "18.7.5"
        }
    ]
}

Type

GIT

Repo

https://gitlab.com/gitlab-org/gitlab

Events

Introduced

1010a9b2b769993080ce8399fd25e77c54e1ad1c

Fixed

a28bcd8f433ae9da128464ded4f904d9a3bd89fe

Database specific

{
    "versions": [
        {
            "introduced": "18.8"
        },
        {
            "fixed": "18.8.5"
        }
    ]
}

Type

GIT

Repo

https://gitlab.com/gitlab-org/gitlab

Events

Introduced

20fe49b575fedd2b8cadc2c0640178879854aeb3

Fixed

91256b9c8dc94308d8be9557b4eb041933a7fffa

Database specific

{
    "versions": [
        {
            "introduced": "18.9"
        },
        {
            "fixed": "18.9.1"
        }
    ]
}

Affected versions

Other

11-10-0cfa69752d8-0d9531c80-ee

11-10-0cfa69752d8-74ffd66ae-ee

11-10-119f9509d50-6d7537235-ee

v10.*

v10.1.0.pre

v10.2.0.pre

v10.3.0.pre

v10.4.0.pre

v10.5.0.pre

v10.6.0.pre

v10.7.0.pre

v10.8.0.pre

v10.9.0.pre

v11.*

v11.0.0.pre

v11.1.0.pre

v11.2.0.pre

v11.3.0.pre

v18.*

v18.7.0-ee

v18.7.0-rc42-ee

v18.7.0-rc43-ee

v18.7.1-ee

v18.7.2-ee

v18.7.3-ee

v18.7.4-ee

v18.8.0-ee

v18.8.1-ee

v18.8.2-ee

v18.8.3-ee

v18.8.4-ee

v18.9.0-ee

v6.*

v6.0.0-ee

v6.0.0-ee.beta

v6.0.0-ee.rc1

v6.1.0-ee

v6.2.1

v6.2.2

v6.3.0-ee

v6.3.1-ee

v6.4.0-ee

v6.4.1

v6.4.2

v6.4.3

v6.5.0-ee

v6.5.1

v6.6.0-ee

v6.6.1

v6.6.2

v6.7.0-ee

v6.7.0.rc1-ee

v6.7.1

v6.7.2

v6.8.0-ee

v6.8.1

v7.*

v7.0.0-ee

v7.1.0-ee

v7.1.0.rc1-ee

v7.2.0.rc1-ee

v7.2.0.rc2-ee

v7.2.0.rc3-ee

v7.2.0.rc4-ee

v7.2.0.rc5-ee

v7.3.0-ee

v7.3.0.rc1-ee

v7.4.0-ee

v7.4.1-ee

v7.4.2-ee

v7.4.3-ee

v7.4.4-ee

v8.*

v8.11.0

v8.11.0-ee

v8.11.0-rc1

v8.11.0-rc1-ee

v8.11.0-rc2

v8.11.0-rc2-ee

v8.11.0-rc3

v8.11.0-rc3-ee

v8.11.0-rc4

v8.11.0-rc4-ee

v8.11.0-rc5

v8.11.0-rc5-ee

v8.11.0-rc6

v8.11.0-rc6-ee

v8.11.0-rc7

v8.11.0-rc7-ee

v8.11.1

v8.12.0

v8.12.0-ee

v8.12.0-rc1

v8.12.0-rc1-ee

v8.12.0-rc2

v8.12.0-rc2-ee

v8.12.0-rc3

v8.12.0-rc3-ee

v8.12.0-rc4

v8.12.0-rc4-ee

v8.12.0-rc5

v8.12.0-rc5-ee

v8.12.0-rc6

v8.12.0-rc6-ee

v8.12.0-rc7

v8.12.0-rc7-ee

v8.12.0.pre

v8.12.1

v8.12.1-ee

v8.12.2

v8.12.2-ee

v8.12.3-ee

v8.2.0-ee

v8.2.0.rc1

v8.2.0.rc1-ee

v8.2.0.rc2

v8.2.0.rc2-ee

v8.8.0

v8.8.0-ee

v8.8.0-rc1

v8.8.0-rc1-ee

v8.8.0-rc2

v8.8.0-rc2-ee

v8.8.1-ee

v9.*

v9.2.0.pre

v9.3.0.pre

v9.5.0.pre

v9.6.0.pre

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-1388.json"