Unauthenticated DoS in GitLab CI/CD job update API

Successful exploitation allows an unauthenticated remote attacker to cause denial of service against affected GitLab instances. The provided context indicates this can overwhelm the system and disrupt CI/CD pipelines, code deployment, and related workflow operations. No evidence was provided that this vulnerability enables code execution, authentication bypass beyond anonymous access to the vulnerable endpoint, or data exfiltration.

If immediate patching is not possible, reduce exposure to the CI/CD job update API by restricting network access to trusted sources, placing the instance behind filtering or rate-limiting controls, and monitoring for bursts of malformed or specially crafted requests targeting CI/CD-related endpoints. Because the issue is unauthenticated, minimizing public reachability of the affected API surface is the most relevant temporary mitigation. Specific vendor-endorsed workaround details were not provided in the content.

Upgrade self-managed GitLab CE/EE instances to a fixed release: 18.9.7, 18.10.6, 18.11.3, or later, as applicable to the deployed release train. The provided content states GitLab released emergency security updates on 2026-05-13 and that cloud-hosted GitLab platforms were already patched. For single-node deployments, plan for downtime because database migrations must complete before restart; multi-node deployments can use standard zero-downtime upgrade procedures.