Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
HighPublic exploit

Denial of Service in GitLab Terraform state lock API

IdentifiersCVE-2026-1092CWE-1284· Improper Validation of Specified…

CVE-2026-1092 is a denial-of-service vulnerability in GitLab CE/EE affecting the Terraform state lock API. It impacts all versions from 12.10 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3. The issue is caused by improper input validation of JSON payloads: the API parses attacker-supplied JSON before authentication checks are fully enforced, allowing unauthenticated requests to reach a resource-intensive parsing path. Crafted malformed, oversized, or deeply nested JSON payloads can trigger excessive CPU and/or memory consumption during request processing, resulting in service degradation or outage.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

A remote unauthenticated attacker can cause denial of service against a vulnerable GitLab instance by repeatedly sending malicious JSON payloads to the Terraform state lock API. Successful exploitation can exhaust CPU and memory resources, degrade responsiveness, and disrupt availability of GitLab services. Because the affected endpoint is used for Terraform/OpenTofu state locking, exploitation can also stall infrastructure deployments and interfere with automated CI/CD workflows that depend on state lock operations.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure to the Terraform state lock API by enforcing request body size limits and, where possible, JSON parsing constraints at reverse proxies or WAFs. Restrict network access to GitLab instances and especially Terraform state endpoints to trusted clients only. Monitor logs and telemetry for anomalous or repeated requests to Terraform state lock/unlock endpoints, spikes in request size, and unusual CPU or memory consumption indicative of exploitation attempts.

Remediation

Patch, then assume compromise.

Upgrade GitLab CE/EE to a fixed release: 18.8.9 or later on the 18.8 patch train, 18.9.5 or later on the 18.9 patch train, or 18.10.3 or later on the 18.10 patch train. GitLab.com was already patched at disclosure time; self-managed instances must be upgraded manually. The fix introduces stricter validation and limits on JSON payload structure and size before lock-processing logic is reached.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
GitLabGitlabapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app
thecyberexpress com vulnerabilitiesNews
Apr 10, 2026
GitLab Security Update Fixes CVE-2026-5173 Flaw

A denial-of-service vulnerability in GitLab's Terraform state lock API caused by improper JSON validation.

Read more
cyber security newsNews
Apr 9, 2026
GitLab Patches Multiple Vulnerabilities That Enables DoS and Code Injection Attacks

A high-severity GitLab denial-of-service vulnerability in the Terraform state lock API caused by improper JSON validation, exploitable by an unauthenticated user.

Read more
gitlab releasesNews
Apr 8, 2026
GitLab Patch Release: 18.10.3, 18.9.5, 18.8.9 | GitLab

A denial-of-service vulnerability in the GitLab CE/EE Terraform state lock API caused by improper input validation of JSON payloads.

Read more
zeropath blogNews
Apr 8, 2026
Brief Summary: GitLab CE/EE CVE-2026-1092 Unauthenticated Denial of Service via Terraform State Lock API - ZeroPath Blog | ZeroPath

An unauthenticated denial-of-service vulnerability in GitLab CE/EE's Terraform state lock API caused by improper validation of JSON input quantities before authentication is enforced.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity5

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-1092
NVD
nvd.nist.gov/vuln/detail/CVE-2026-1092
MITRE CWE · CWE-1284
Improper Validation of Specified Quantity in…
Vendor Advisory
about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released
Permissions Required
hackerone.com/reports/3487030