Skip to main content

GitLab CE/EE CVE-2026-12635

| EUVDEUVD-2026-39168 LOW
Reliance on Reverse DNS Resolution for a Security-Critical Action (CWE-350)
2026-06-25 cve@gitlab.com GHSA-px7v-hx94-8wmf
3.1
CVSS 3.1 · NVD

Severity by source

Vendor (gitlab) PRIMARY
NONE
qualitative
NVD
3.1 LOW
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
3.5 LOW

Network vector and no UI required match mirror sync; AC:H for DNS rebinding prerequisite; PR:L for maintainer role; S:C and C:L because internal resource responses cross a security boundary.

3.1 AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N

Primary rating from Vendor (gitlab).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
CVSS changed
Jun 26, 2026 - 18:37 NVD
3.1 (LOW)
Patch available
Jun 25, 2026 - 07:01 EUVD
Analysis Generated
Jun 25, 2026 - 05:33 vuln.today

DescriptionNVD

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with maintainer-role permissions to make requests to internal network resources through mirror synchronization due to improper URL validation.

AnalysisAI

Server-side request forgery (SSRF) in GitLab CE/EE allows an authenticated user with maintainer-role permissions to probe and interact with internal network resources by configuring malicious mirror synchronization URLs that bypass GitLab's URL validation controls. The flaw spans an exceptionally wide version range - from 8.3 all the way through the 19.x train - making the population of unpatched instances large. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain maintainer role on target project
Delivery
Register attacker-controlled domain as mirror URL
Exploit
Pass GitLab URL validation with public DNS record
Install
Swap DNS record to internal IP via rebinding
C2
Trigger mirror synchronization
Execute
GitLab server requests internal resource
Impact
Exfiltrate response data

Vulnerability AssessmentAI

Exploitation Exploitation requires: (1) an attacker holding maintainer-role permissions on at least one project on the target GitLab instance - this is a non-trivial but common privilege in open-source or contractor-accessible repositories; (2) the repository mirroring feature must be enabled, which is the default in GitLab CE/EE; (3) the attacker must control DNS resolution for a domain used as the mirror URL and must be able to manipulate the TTL/record between GitLab's URL validation call and the actual sync request (DNS rebinding window); (4) the GitLab server must have network-level access to the targeted internal resources - cloud VMs without metadata service access or hard-egress-filtered deployments reduce blast radius. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:N contains a zero-impact triple (C:N/I:N/A:N) that is inconsistent with an SSRF that enables access to internal network resources - this vector is either a placeholder or was published before impact scoring was finalized and should not be used for prioritization. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An external contributor with maintainer access to a shared GitLab project registers an attacker-controlled domain whose A record initially resolves to a public IP that passes GitLab's URL allowlist validation. Immediately after validation, the attacker updates the DNS record to point to an internal address such as 169.254.169.254 (cloud metadata service) or an internal Kubernetes API endpoint; when GitLab's mirror sync fires, it requests the internal address, returning sensitive data (cloud credentials, internal service tokens) to the attacker via error messages or accessible mirror metadata. …
Remediation Upgrade to GitLab 18.11.6, 19.0.3, or 19.1.1 as appropriate for your current release train; these are the vendor-confirmed fixed versions per the patch release advisory at https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-1-1-released/. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Gitlab

View all
CVE-2023-7028 CRITICAL POC
10.0 Jan 12

An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.

CVE-2013-4490 MEDIUM POC
6.5 May 13

The SSH key upload feature (lib/gitlab_keys.rb) in gitlab-shell before 1.7.3, as used in GitLab 5.0 before 5.4.1 and 6.x

CVE-2021-22205 CRITICAL POC
10.0 Apr 23

An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. Rated critical severity (CVSS 10

CVE-2022-2992 CRITICAL POC
9.9 Oct 17

A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2024-45409 CRITICAL POC
9.8 Sep 10

The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t

CVE-2022-1162 CRITICAL POC
9.8 Apr 04

A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. Rated critical severity (CVSS 9.8)

CVE-2022-0735 CRITICAL POC
9.8 Mar 28

An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions star

CVE-2021-22175 CRITICAL POC
9.8 Jun 11

When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab af

CVE-2021-22203 CRITICAL POC
9.8 Apr 02

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7.9 before 13.8.7, all versions sta

CVE-2019-15741 CRITICAL POC
9.8 Sep 16

An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2019-6960 CRITICAL POC
9.8 Sep 09

An issue was discovered in GitLab Community and Enterprise Edition 9.x, 10.x, and 11.x before 11.5.8, 11.6.x before 11.6

Share

CVE-2026-12635 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy