Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Network vector and no UI required match mirror sync; AC:H for DNS rebinding prerequisite; PR:L for maintainer role; S:C and C:L because internal resource responses cross a security boundary.
Primary rating from Vendor (gitlab).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionNVD
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with maintainer-role permissions to make requests to internal network resources through mirror synchronization due to improper URL validation.
AnalysisAI
Server-side request forgery (SSRF) in GitLab CE/EE allows an authenticated user with maintainer-role permissions to probe and interact with internal network resources by configuring malicious mirror synchronization URLs that bypass GitLab's URL validation controls. The flaw spans an exceptionally wide version range - from 8.3 all the way through the 19.x train - making the population of unpatched instances large. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires: (1) an attacker holding maintainer-role permissions on at least one project on the target GitLab instance - this is a non-trivial but common privilege in open-source or contractor-accessible repositories; (2) the repository mirroring feature must be enabled, which is the default in GitLab CE/EE; (3) the attacker must control DNS resolution for a domain used as the mirror URL and must be able to manipulate the TTL/record between GitLab's URL validation call and the actual sync request (DNS rebinding window); (4) the GitLab server must have network-level access to the targeted internal resources - cloud VMs without metadata service access or hard-egress-filtered deployments reduce blast radius. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:N contains a zero-impact triple (C:N/I:N/A:N) that is inconsistent with an SSRF that enables access to internal network resources - this vector is either a placeholder or was published before impact scoring was finalized and should not be used for prioritization. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An external contributor with maintainer access to a shared GitLab project registers an attacker-controlled domain whose A record initially resolves to a public IP that passes GitLab's URL allowlist validation. Immediately after validation, the attacker updates the DNS record to point to an internal address such as 169.254.169.254 (cloud metadata service) or an internal Kubernetes API endpoint; when GitLab's mirror sync fires, it requests the internal address, returning sensitive data (cloud credentials, internal service tokens) to the attacker via error messages or accessible mirror metadata. … |
| Remediation | Upgrade to GitLab 18.11.6, 19.0.3, or 19.1.1 as appropriate for your current release train; these are the vendor-confirmed fixed versions per the patch release advisory at https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-1-1-released/. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.
The SSH key upload feature (lib/gitlab_keys.rb) in gitlab-shell before 1.7.3, as used in GitLab 5.0 before 5.4.1 and 6.x
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. Rated critical severity (CVSS 10
A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t
A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. Rated critical severity (CVSS 9.8)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions star
When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab af
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7.9 before 13.8.7, all versions sta
An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. Rated critical severity (CVSS 9.8), this vulnerability is
An issue was discovered in GitLab Community and Enterprise Edition 9.x, 10.x, and 11.x before 11.5.8, 11.6.x before 11.6
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39168
GHSA-px7v-hx94-8wmf