Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to make unintended internal requests through proxy environments under certain conditions due to improper input validation in import functionality.
Published: 2026-03-11
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Internal Request Forgery via CRLF Injection
Action: Apply Patch
AI Analysis

Impact

This vulnerability, identified as CWE‑93, occurs because GitLab’s import functionality does not properly neutralize CRLF sequences. When an authenticated user supplies crafted input, the system can perform unintended internal HTTP requests through configured proxy environments. The result is that the application may reach internal services or endpoints that the user is not authorized to access, potentially exposing sensitive internal data or allowing bypass of access controls.

Affected Systems

Affected products are GitLab Community and Enterprise Editions. All releases from 8.11 up to 18.7.5, from 18.8.0 up to 18.8.5, and from 18.9.0 up to 18.9.1 would be vulnerable. The recommendation is to upgrade to GitLab 18.7.6, 18.8.6, 18.9.2 or later. The CPE string shows the product is GitLab:gitlab.

Risk and Exploitability

The CVSS v3 base score is 5.0, indicating a medium severity. The EPSS score is below 1%, implying a low probability of exploitation in the wild. This vulnerability is not indexed in CISA’s KEV catalog. Attack execution requires an authenticated user with access to the import feature; no publicly available remote exploitation path is documented. Remediation by upgrading mitigates the risk completely.

Generated by OpenCVE AI on March 17, 2026 at 16:32 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.7.6, 18.8.6, 18.9.2 or above.

OpenCVE Recommended Actions

  • Upgrade to GitLab version 18.7.6, 18.8.6, or 18.9.2 and later to resolve the CRLF injection issue.
  • If immediate upgrade is not possible, restrict or disable the import functionality for all users until the patch is applied.
  • Verify that proxy settings are correctly configured to avoid unintended internal requests.

Generated by OpenCVE AI on March 17, 2026 at 16:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to make unintended internal requests through proxy environments under certain conditions due to improper input validation in import functionality.
Title Improper Neutralization of CRLF Sequences ('CRLF Injection') in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-93
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-03-12T14:23:58.017Z

Reserved: 2026-03-09T19:33:36.812Z

Link: CVE-2026-3848

cve-icon Vulnrichment

Updated: 2026-03-12T14:23:37.181Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-11T16:16:47.310

Modified: 2026-03-12T21:08:22.643

Link: CVE-2026-3848

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:55:29Z

Weaknesses