Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
5DescriptionCVE.org
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an unauthenticated user to execute arbitrary GraphQL mutations on behalf of authenticated users due to insufficient CSRF protection.
AnalysisAI
A Cross-Site Request Forgery (CSRF) vulnerability in GitLab Community Edition and Enterprise Edition allows unauthenticated attackers to execute arbitrary GraphQL mutations on behalf of authenticated users without their consent. All versions from 17.10 before 18.8.7, versions 18.9 before 18.9.3, and versions 18.10 before 18.10.1 are affected. A public proof-of-concept exploit is available via HackerOne report 3584382, significantly increasing the risk of active exploitation.
Technical ContextAI
This vulnerability affects GitLab's GraphQL API implementation (cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*), which is used for programmatic interactions with GitLab repositories, CI/CD pipelines, and project management features. The root cause is classified as CWE-352 (Cross-Site Request Forgery), indicating insufficient validation of anti-CSRF tokens or missing SameSite cookie attributes on GraphQL mutation endpoints. GraphQL mutations in GitLab can perform state-changing operations such as modifying repository settings, creating merge requests, changing permissions, or triggering CI/CD pipelines. The lack of proper CSRF protection means that malicious websites can craft requests that authenticated users' browsers will automatically include valid session cookies with, allowing actions to be performed without the user's knowledge or consent.
RemediationAI
Immediately upgrade GitLab to one of the patched versions: 18.8.7 or later for the 18.8.x series, 18.9.3 or later for the 18.9.x series, or 18.10.1 or later for the 18.10.x series, as documented in the official security advisory at https://about.gitlab.com/releases/2026/03/25/patch-release-gitlab-18-10-1-released/. Until patching is completed, implement compensating controls such as educating users to avoid clicking untrusted links while authenticated to GitLab, deploying Content Security Policy headers to restrict cross-origin requests, and monitoring GraphQL mutation logs for suspicious patterns or unexpected sources. Consider implementing additional authentication requirements for sensitive GraphQL operations if your GitLab deployment supports custom authentication hooks. Review recent GraphQL mutation activity for signs of unauthorized actions that may have occurred prior to patching.
An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.
The SSH key upload feature (lib/gitlab_keys.rb) in gitlab-shell before 1.7.3, as used in GitLab 5.0 before 5.4.1 and 6.x
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. Rated critical severity (CVSS 10
A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t
A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. Rated critical severity (CVSS 9.8)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions star
When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab af
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7.9 before 13.8.7, all versions sta
An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. Rated critical severity (CVSS 9.8), this vulnerability is
An issue was discovered in GitLab Community and Enterprise Edition 9.x, 10.x, and 11.x before 11.5.8, 11.6.x before 11.6
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allVendor StatusVendor
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| sid | fixed | 17.6.5-19 | - |
| (unstable) | not-affected | - | - |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15935