• Home
  • cyber
  • GitLab: CISA Warns of Actively Exploited GitLab SSRF Vulnerability in Community and Enterprise Editions
cyber Vulnerability

GitLab: CISA Warns of Actively Exploited GitLab SSRF Vulnerability in Community and Enterprise Editions

Feb 3, 2026 2 min read
GitLab: CISA Warns of Actively Exploited GitLab SSRF Vulnerability in Community and Enterprise Editions

CISA Warns of Actively Exploited SSRF Vulnerability in GitLab

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert regarding an actively exploited Server-Side Request Forgery (SSRF) vulnerability in GitLab Community and Enterprise Editions, tracked as CVE-2021-39935. The flaw, added to CISA’s Known Exploited Vulnerabilities Catalog on February 3, 2026, allows unauthenticated attackers to force GitLab servers to make unauthorized requests via the CI Lint API, potentially exposing internal systems or enabling further exploitation.

The vulnerability stems from improper URL validation during CI/CD configuration checks, enabling attackers to scan internal networks, leak credentials, or exploit connected services. While GitLab patched the issue in 2021, recent reports indicate renewed exploitation of unpatched instances, particularly those exposed to the internet.

CISA has set a February 24, 2026 deadline for federal agencies to mitigate the flaw under Binding Operational Directive (BOD) 22-01. The agency highlights the risk of supply-chain attacks, as SSRF flaws in CI/CD pipelines can expose cloud metadata services, revealing sensitive tokens or configurations. Though no specific threat actor has been attributed, SSRF vulnerabilities have historically been used for crypto-mining, lateral movement, and initial access in broader compromises.

GitLab has released security updates for affected versions. Organizations are advised to upgrade immediately, restrict API exposure, monitor logs for suspicious activity, and implement network segmentation to limit potential damage. Given GitLab’s widespread use in DevOps workflows, unpatched instances remain a prime target for attackers.

Source: https://cyberpress.org/cisa-warns-of-actively-exploited-gitlab-ssrf-vulnerability-in-community-and-enterprise-editions/

GitLab TPRM report: https://www.rankiteo.com/company/gitlab-com

"id": "git1770208485",
"linkid": "gitlab-com",
"type": "Vulnerability",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'Organizations using unpatched '
                                              'GitLab instances',
                        'industry': 'DevOps/Software Development',
                        'name': 'GitLab',
                        'type': 'Software Provider'}],
 'attack_vector': 'CI Lint API',
 'customer_advisories': 'Organizations advised to upgrade and mitigate risks',
 'data_breach': {'sensitivity_of_data': 'high',
                 'type_of_data_compromised': ['credentials',
                                              'sensitive tokens',
                                              'configurations']},
 'date_publicly_disclosed': '2021',
 'description': 'The U.S. Cybersecurity and Infrastructure Security Agency '
                '(CISA) has issued an alert regarding an actively exploited '
                'Server-Side Request Forgery (SSRF) vulnerability in GitLab '
                'Community and Enterprise Editions, tracked as CVE-2021-39935. '
                'The flaw allows unauthenticated attackers to force GitLab '
                'servers to make unauthorized requests via the CI Lint API, '
                'potentially exposing internal systems or enabling further '
                'exploitation. The vulnerability stems from improper URL '
                'validation during CI/CD configuration checks, enabling '
                'attackers to scan internal networks, leak credentials, or '
                'exploit connected services.',
 'impact': {'data_compromised': 'credentials, sensitive tokens, configurations',
            'operational_impact': 'supply-chain attacks, exposure of cloud '
                                  'metadata services',
            'systems_affected': 'GitLab Community and Enterprise Editions'},
 'investigation_status': 'Ongoing',
 'motivation': ['crypto-mining', 'lateral movement', 'initial access'],
 'post_incident_analysis': {'root_causes': 'Improper URL validation during '
                                           'CI/CD configuration checks'},
 'recommendations': ['Upgrade immediately to patched versions',
                     'Restrict API exposure',
                     'Monitor logs for suspicious activity',
                     'Implement network segmentation'],
 'references': [{'date_accessed': '2026-02-03', 'source': 'CISA Alert'}],
 'regulatory_compliance': {'regulatory_notifications': ['CISA Binding '
                                                        'Operational Directive '
                                                        '(BOD) 22-01']},
 'response': {'containment_measures': ['restrict API exposure',
                                       'monitor logs for suspicious activity'],
              'enhanced_monitoring': 'recommended',
              'network_segmentation': 'recommended',
              'remediation_measures': ['upgrade to patched versions',
                                       'implement network segmentation']},
 'title': 'Actively Exploited SSRF Vulnerability in GitLab (CVE-2021-39935)',
 'type': 'Server-Side Request Forgery (SSRF)',
 'vulnerability_exploited': 'CVE-2021-39935'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.