What is the CVSS score of CVE-2026-4922?

CVE-2026-4922 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Is there a public PoC exploit available for CVE-2026-4922?

Yes, a public proof-of-concept exploit is available for CVE-2026-4922. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-4922?

Within 24 hours: Identify all GitLab CE/EE instances and document current versions in use. Within 7 days: Apply vendor patches-upgrade to GitLab 18.9.6, 18.10.4, or 18.11.1 depending on your current version line; test patched versions in a staging environment before production deployment. Within 30 days: Conduct user awareness training on phishing and social engineering; review GitLab access logs for suspicious GraphQL mutation activity; implement additional CSRF protections at the reverse proxy or WAF level if available.

GitLab CE/EE CVE-2026-4922

Q: Which versions of GitLab CE/EE are affected by CVE-2026-4922?

GitLab CE/EE versions 17.0-18.11.0 contain a CSRF vulnerability (CVSS 8.1) enabling attackers to execute GraphQL mutations as authenticated users through malicious web pages, requiring user…. A patch is available.

EUVD-2026-25040 HIGH

Cross-Site Request Forgery (CSRF) (CWE-352)

2026-04-22 GitLab

CSRF Gitlab

8.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Re-analysis Queued

Apr 23, 2026 - 20:54 vuln.today

cvss_changed

PoC Detected

Apr 23, 2026 - 20:40 vuln.today

Public exploit code

Patch released

Apr 23, 2026 - 20:40 nvd

Patch available

Analysis Generated

Apr 23, 2026 - 06:50 vuln.today

Patch available

Apr 22, 2026 - 17:33 EUVD

EUVD ID Assigned

Apr 22, 2026 - 17:01 euvd

EUVD-2026-25040

Analysis Generated

Apr 22, 2026 - 17:01 vuln.today

CVE Published

Apr 22, 2026 - 16:29 nvd

HIGH 8.1

DescriptionNVD

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.0 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed an unauthenticated user to execute GraphQL mutations on behalf of authenticated users due to insufficient CSRF protection.

AnalysisAI

Cross-Site Request Forgery (CSRF) in GitLab CE/EE allows remote unauthenticated attackers to execute GraphQL mutations as authenticated victims through crafted web pages. Affects all versions from 17.0 through 18.11.0, with publicly available exploit code (HackerOne report 3627285). …

RemediationAI

Within 24 hours: Identify all GitLab CE/EE instances and document current versions in use. Within 7 days: Apply vendor patches-upgrade to GitLab 18.9.6, 18.10.4, or 18.11.1 depending on your current version line; test patched versions in a staging environment before production deployment. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-3515 HIGH This Week

8.5 May 24

Command injection in Prefect 3.6.18's GitHub integration allows authenticated users to execute arbitrary git commands th

CVE-2026-9807 MEDIUM This Month POC

4.3 May 28

Incorrect authorization enforcement in GitLab CE/EE permits a blocked Project Access Token to continue reading private p

CVE-2026-4868 HIGH This Week

8.2 May 27

Identity confusion in GitLab EE's Duo AI workflow runners lets an authenticated, low-privileged user cause specific Duo

CVE-2026-1402 MEDIUM This Month

6.5 May 27

Denial of service in GitLab CE/EE affects all versions from 17.1 through those prior to 18.10.7, 18.11.4, and 19.0.1, al

CVE-2026-6713 MEDIUM This Month

5.3 May 27

Unauthorized private project enumeration in GitLab CE/EE exposes confidential project metadata to unauthenticated networ

CVE-2026-4922 vulnerability details – vuln.today

Back