CVE-2026-2845 Overview
A denial of service vulnerability has been discovered in GitLab CE/EE affecting all versions from 11.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1. This vulnerability allows an authenticated user to cause denial of service by exploiting a Bitbucket Server import endpoint via repeatedly sending large responses. The vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling).
Critical Impact
Authenticated attackers can exhaust server resources through the Bitbucket Server import functionality, potentially causing service disruption for all GitLab users on the affected instance.
Affected Products
- GitLab CE/EE versions 11.2 to 18.7.4
- GitLab CE/EE versions 18.8.0 to 18.8.4
- GitLab CE/EE versions 18.9.0
Discovery Timeline
- 2026-02-25 - CVE-2026-2845 published to NVD
- 2026-02-25 - Last updated in NVD database
Technical Details for CVE-2026-2845
Vulnerability Analysis
This vulnerability resides in GitLab's Bitbucket Server import functionality, which is designed to facilitate migration of repositories from Bitbucket Server to GitLab. The import endpoint lacks proper resource allocation limits, allowing authenticated users to exploit this weakness by repeatedly triggering imports with excessively large responses.
The issue stems from improper handling of resource consumption during the import process. When an authenticated user initiates a Bitbucket Server import, the system processes incoming data without adequate constraints on the size or frequency of requests. This lack of throttling enables malicious actors to overwhelm server resources through sustained attack patterns.
Root Cause
The root cause of this vulnerability is CWE-770: Allocation of Resources Without Limits or Throttling. The Bitbucket Server import endpoint does not implement sufficient rate limiting or size restrictions on incoming import requests. This design flaw allows authenticated users to consume disproportionate server resources by sending large payloads repeatedly, leading to resource exhaustion and service degradation.
Attack Vector
The attack vector is network-based and requires low-privileged authentication. An attacker with valid GitLab credentials can target the Bitbucket Server import endpoint by:
- Authenticating to the vulnerable GitLab instance
- Initiating multiple Bitbucket Server import operations
- Sending large response payloads through the import mechanism
- Repeating this process to exhaust server resources
The vulnerability mechanism involves exploiting the import endpoint's lack of resource allocation controls. When the endpoint processes import requests, it does not adequately limit the amount of memory or processing power allocated to each request. By repeatedly sending large responses, an attacker can force the server to allocate excessive resources, eventually causing service disruption. For detailed technical information, refer to the GitLab Work Item #570554.
Detection Methods for CVE-2026-2845
Indicators of Compromise
- Unusual spikes in resource consumption (CPU, memory) on GitLab servers
- High volume of Bitbucket Server import requests from a single user account
- Repeated import operations with abnormally large payload sizes
- Service degradation or unresponsiveness of GitLab instances
Detection Strategies
- Monitor GitLab application logs for excessive import endpoint activity
- Implement alerting for resource exhaustion events on GitLab servers
- Track authentication patterns associated with Bitbucket Server import operations
- Configure network monitoring to detect sustained high-volume traffic to import endpoints
Monitoring Recommendations
- Enable detailed logging for the Bitbucket Server import functionality
- Set up resource utilization thresholds and alerts for GitLab server instances
- Review user activity logs for patterns indicative of abuse
- Implement application-level monitoring for import endpoint response times
How to Mitigate CVE-2026-2845
Immediate Actions Required
- Upgrade GitLab CE/EE to version 18.7.5, 18.8.5, or 18.9.1 depending on your current version branch
- Review recent Bitbucket Server import activity logs for suspicious patterns
- Consider temporarily restricting access to the Bitbucket Server import feature until patched
- Monitor server resources closely for signs of ongoing exploitation attempts
Patch Information
GitLab has released security patches addressing this vulnerability. Organizations should upgrade to the following fixed versions:
- GitLab CE/EE 18.7.5 for users on the 18.7.x branch
- GitLab CE/EE 18.8.5 for users on the 18.8.x branch
- GitLab CE/EE 18.9.1 for users on the 18.9.x branch
For complete patch details and upgrade instructions, refer to the GitLab Patch Release Announcement.
Workarounds
- Disable the Bitbucket Server import feature temporarily if immediate patching is not possible
- Implement rate limiting at the network or application level for import endpoints
- Restrict Bitbucket Server import permissions to trusted administrators only
- Deploy a web application firewall (WAF) rule to limit request sizes to import endpoints
# Configuration example - Restrict Bitbucket import access via GitLab Rails console
# Run gitlab-rails console and execute:
# Feature.enable(:bitbucket_server_import_admin_only)
# Alternatively, use nginx rate limiting for the import endpoint
# Add to nginx configuration:
limit_req_zone $binary_remote_addr zone=bitbucket_import:10m rate=5r/m;
location ~ ^/import/bitbucket_server {
limit_req zone=bitbucket_import burst=2 nodelay;
proxy_pass http://gitlab-workhorse;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
