GitLab AI Gateway – Insecure Template Expansion (Duo Workflow Service)
CVE Overview
CVE ID: CVE-2026-1868
Product: GitLab AI Gateway (Duo Self-Hosted)
Component: Duo Workflow Service (Agent Platform Flow processing)
Vulnerability Type: Insecure Template Expansion / Server-Side Template Injection
Impact: Remote Code Execution (RCE) and Denial of Service (DoS)
CVSS v3.1 Score: 9.9 (Critical)
Attack Vector: Network
Privileges Required: Low (authenticated user)
User Interaction: None
Exploitability: High
Exploit Availability: No widely trusted public exploit kit confirmed; technical details sufficient for skilled attackers
Vulnerability Summary
A critical vulnerability was identified in GitLab AI Gateway within the Duo Workflow Service responsible for processing Agent Platform Flow definitions. These flow definitions allow structured automation and AI-assisted workflows.
During template processing, user-supplied input was expanded without proper neutralization of template directives. Instead of being treated as plain data, specially crafted input could be interpreted and executed by the underlying template engine.
Because the expansion occurred server-side, malicious directives embedded inside flow definitions could trigger unintended evaluation. Depending on runtime configuration and execution context, this behavior allowed:
- Execution of arbitrary commands on the AI Gateway host (RCE), or
- Service instability, crash, or resource exhaustion (DoS)
The flaw stemmed from improper separation between template logic and user-controlled data.
Affected Versions
All GitLab AI Gateway releases:
- 18.1.6 through versions before 18.6.2
- 18.2.6 through versions before 18.7.1
- 18.3.1 through versions before 18.8.1
Official Patch / Upgrade
The issue has been resolved in:
- 18.6.2
- 18.7.1
- 18.8.1
Official GitLab Patch Advisory:
https://about.gitlab.com/releases/2026/02/06/patch-release-gitlab-ai-gateway-18-8-1-released
Immediate upgrade is strongly recommended.
Technical Root Cause
The Duo Workflow Service processes “flow definitions,” which include structured templates for AI orchestration. These templates are dynamically expanded during execution.
Improper neutralization allowed special template syntax markers to be evaluated. The template engine interpreted these markers as executable expressions instead of static strings.
In secure template design:
- Template logic is defined separately.
- User input is escaped or treated as data.
In this case:
- User input reached the template rendering engine.
- Expression evaluation was not sufficiently restricted.
- Sandbox boundaries were insufficient or bypassable.
This resulted in server-side template injection behavior.
Exploitation Scenario
Exploitation required:
- Valid authenticated access to GitLab.
- Permission to create or modify Duo flow definitions.
- Ability to insert malicious template directives into flow parameters.
Once a malicious flow was submitted:
- The AI Gateway parsed the flow.
- Template expansion occurred.
- The malicious expression was evaluated.
- Execution happened in the context of the AI Gateway process.
If the template engine exposed system-level functions, command execution became possible.
If system functions were restricted, attackers could still trigger:
- Infinite recursion
- Heavy memory allocation
- Large loop execution
- Application crashes
Proof-of-Concept
For defensive understanding only:
Template injection vulnerabilities are typically identified by inserting harmless evaluation expressions to confirm execution context.
Common test indicators in template engines include:
- Arithmetic evaluation tests
- String concatenation tests
- Object introspection tests
If such expressions return computed output instead of literal text, the template engine is evaluating user input.
No active exploit code is provided here. Testing should be conducted only in isolated lab environments.
Indicators of Exploitation
Application-Level Indicators
- Unexpected template parsing errors
- Stack traces referencing template rendering
- Sudden 500 errors when flows execute
- Unusual flow execution logs
Host-Level Indicators
- New child processes spawned from AI Gateway process
- Shell invocation events
- Unusual outbound network traffic
- Creation of temporary files in system temp directories
Behavioral Indicators
- Multiple rapid modifications to flow definitions
- Low-privileged users editing complex templates
- Increased CPU or memory usage on AI Gateway host
Log Sources for Detection
- GitLab AI Gateway application logs
- GitLab audit logs
- Web/API access logs
- System process creation logs (Windows Event 4688 / Sysmon / auditd)
- EDR telemetry
- Firewall / outbound traffic logs
Detection Queries
Splunk – Suspicious Flow Creation with Template Markers
index=gitlab sourcetype=access_logs
method=POST uri_path="/api/duo/flows"
| search request_body="*{{*" OR request_body="*{%=*" OR request_body="*${*"
| table _time user src_ip uri_path request_body
Splunk – Template Rendering Errors
index=gitlab sourcetype=ai_gateway_logs
("template" AND "exception") OR "render error"
| stats count by user, src_ip
Microsoft Sentinel – Suspicious Process Spawn
SecurityEvent
| where EventID == 4688
| where ParentProcessName contains "ai-gateway"
| where NewProcessName contains "cmd.exe"
or NewProcessName contains "powershell.exe"
or NewProcessName contains "bash"
| project TimeGenerated, Computer, Account, ParentProcessName, NewProcessName
Elastic – Unusual Child Processes
process.parent.name : "ai-gateway*" and
process.name : ("bash" or "sh" or "cmd.exe" or "powershell.exe")
Elastic – Excessive Flow Modifications
event.dataset: gitlab.audit and
event.action: ("flow_create" or "flow_update")
| stats count by user.name
| where count > 10
Denial of Service Detection
Monitor for:
- CPU spikes above baseline
- Memory exhaustion events
- Repeated crash/restart of AI Gateway container
- Kubernetes pod restarts (if deployed in K8s)
Kubernetes Query:
kubernetes.pod.name : "ai-gateway*" and
kubernetes.container.restart_count > 3
MITRE ATT&CK Mapping
- T1190 – Exploit Public-Facing Application
- T1059 – Command and Scripting Interpreter
- T1499 – Endpoint Denial of Service
- T1105 – Ingress Tool Transfer (if follow-up payload retrieval occurs)
Risk Assessment
If exploited for RCE:
- Gateway host compromise
- Lateral movement risk
- AI prompt/response manipulation
- Credential harvesting
- Data exfiltration
If exploited for DoS:
- AI service interruption
- CI/CD workflow disruption
- Developer productivity impact
Because the attack requires authentication, insider threat and compromised accounts represent elevated risk factors.
Mitigation Strategy
Immediate
- Upgrade to patched versions immediately.
- Restrict Duo flow creation permissions.
- Enable enhanced logging for AI Gateway.
- Monitor for suspicious template markers in requests.
Short-Term Hardening
- Apply strict RBAC controls.
- Limit outbound traffic from AI Gateway host.
- Deploy EDR with command execution monitoring.
- Implement WAF rules blocking suspicious template tokens.
Long-Term
- Separate template logic from user input.
- Enforce secure template rendering APIs.
- Conduct code review for dynamic evaluation usage.
- Add security testing for injection vulnerabilities.
Incident Response Guidance
If exploitation is suspected:
- Isolate AI Gateway host.
- Collect process execution logs.
- Dump active connections.
- Review modified flow definitions.
- Reset credentials of users who edited flows.
- Rebuild host if RCE confirmed.
Final Takeaway
This vulnerability should be treated as critical due to the possibility of remote code execution from a low-privileged authenticated context.
Patching remains the only complete remediation.
Official Patch Link:
https://about.gitlab.com/releases/2026/02/06/patch-release-gitlab-ai-gateway-18-8-1-released/
