Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an unauthenticated user to execute arbitrary GraphQL mutations on behalf of authenticated users due to insufficient CSRF protection.
Published: 2026-03-25
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: CSRF-enabled arbitrary GraphQL mutation execution
Action: Patch Immediately
AI Analysis

Impact

A flaw in GitLab’s GraphQL API implements insufficient Cross‑Site Request Forgery protection, classified as CWE-352, allowing an unauthenticated attacker to trigger any GraphQL mutation on behalf of an authenticated user. The vulnerability enables the attacker to read, modify, or delete data that the victim is authorized to access, compromising both data confidentiality and integrity.

Affected Systems

The issue affects all GitLab Community Edition and Enterprise Edition releases from 17.10 up to, but excluding, versions 18.8.7, 18.9.3, and 18.10.1. This includes the 17.10‑18.8.6 series, the 18.9‑18.9.2 series, and the 18.10‑18.10.0 series. Only patches beginning with 18.8.7, 18.9.3, or 18.10.1 in the respective branches remove the weakness.

Risk and Exploitability

The CVSS v3.1 score of 8.1 indicates high severity, but the EPSS score is below 1 %, suggesting a low likelihood of current exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be a malicious URL or embedded script that coerces the victim’s browser into sending an authenticated GraphQL request without a valid CSRF token, thereby executing the attacker’s chosen mutation.

Generated by OpenCVE AI on March 30, 2026 at 18:32 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.8.7, 18.9.3, 18.10.1 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab to version 18.8.7, 18.9.3, or 18.10.1 or later to apply the vendor‑provided patch.
  • Verify the installed GitLab version to confirm that the patch has been applied.
  • If an immediate upgrade is not possible, block unauthenticated access to the GraphQL endpoint using network or application‑level controls, ensuring only properly authenticated requests are accepted.
  • After remediation, audit logs for suspicious GraphQL activity to detect any prior exploitation attempts.

Generated by OpenCVE AI on March 30, 2026 at 18:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:18.10.0:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:18.10.0:*:*:*:enterprise:*:*:*

Thu, 26 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an unauthenticated user to execute arbitrary GraphQL mutations on behalf of authenticated users due to insufficient CSRF protection.
Title Cross-Site Request Forgery (CSRF) in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-352
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-03-26T13:20:03.781Z

Reserved: 2026-03-09T21:03:55.281Z

Link: CVE-2026-3857

cve-icon Vulnrichment

Updated: 2026-03-26T13:20:00.477Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T17:17:09.387

Modified: 2026-03-30T15:19:33.930

Link: CVE-2026-3857

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:58:00Z

Weaknesses