Home

Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.5 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Unauthorized external users could perform Server Side Requests via the CI Lint API

PUBLISHED Reserved 2021-08-23 | Published 2021-12-13 | Updated 2026-02-03 | Assigner GitLab




MEDIUM: 6.8CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

CISA Known Exploited Vulnerability

Date added 2026-02-03 | Due date 2026-02-24

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Problem types

Server-side request forgery (ssrf) in GitLab

Product status

>=10.5, <14.3.6
affected

>=14.4, <14.4.4
affected

>=14.5, <14.5.2
affected

Credits

Thanks @minhli for reporting this vulnerability through our HackerOne bug bounty program

References

gitlab.com/gitlab-org/gitlab/-/issues/346187

hackerone.com/reports/1236965

gitlab.com/...rg/cves/-/blob/master/2021/CVE-2021-39935.json

www.cisa.gov/...erabilities-catalog?field_cve=CVE-2021-39935 government-resource

gitlab.com/gitlab-org/gitlab/-/issues/346187

hackerone.com/reports/1236965

gitlab.com/...rg/cves/-/blob/master/2021/CVE-2021-39935.json

cve.org (CVE-2021-39935)

nvd.nist.gov (CVE-2021-39935)

Download JSON