Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.0 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed an unauthenticated user to execute GraphQL mutations on behalf of authenticated users due to insufficient CSRF protection.
Published: 2026-04-22
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized GraphQL mutation execution
Action: Immediate Patch
AI Analysis

Impact

GitLab contained a CSRF flaw that allowed an unauthenticated user to trigger GraphQL mutations on behalf of any logged‑in user. Because the mutation endpoint accepted requests without a CSRF token, an attacker could cause the victim to change settings, delete data, or otherwise perform privileged actions. The weakness is a classic CSRF vulnerability (CWE‑352).

Affected Systems

The flaw affects GitLab CE/EE from version 17.0 through the release immediately before 18.9.6, from 18.10.0 to just before 18.10.4, and from 18.11.0 to just before 18.11.1. All other supported releases are unaffected.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity. EPSS is not available, so the likelihood of exploitation is unknown, but the flaw is listed outside the KEV catalog. Based on the description, it is inferred that the attacker would deliver a crafted GraphQL mutation request from a malicious site to an authenticated victim's browser. The likely attack vector thus involves a victim already logged in visiting a site that submits a mutation request without a CSRF token, causing the action to execute with the victim's privileges. Given the high impact and lack of mitigation in those versions, the risk to exposed installations is significant.

Generated by OpenCVE AI on April 27, 2026 at 08:34 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.9.6, 18.10.4, 18.11.1 or above.

OpenCVE Recommended Actions

  • Upgrade all GitLab installations to at least the patched releases: 18.9.6, 18.10.4, 18.11.1, or newer.
  • Restart or reload the GitLab services to apply the new codebase.
  • Verify that no custom plugins or integrations expose the GraphQL endpoint without CSRF protection and consider disabling or updating any such extensions.

Generated by OpenCVE AI on April 27, 2026 at 08:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:18.11.0:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:18.11.0:*:*:*:enterprise:*:*:*

Wed, 22 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.0 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed an unauthenticated user to execute GraphQL mutations on behalf of authenticated users due to insufficient CSRF protection.
Title Cross-Site Request Forgery (CSRF) in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-352
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-04-24T03:55:17.281Z

Reserved: 2026-03-26T18:03:48.371Z

Link: CVE-2026-4922

cve-icon Vulnrichment

Updated: 2026-04-22T17:46:45.694Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T17:16:44.277

Modified: 2026-04-23T20:40:03.980

Link: CVE-2026-4922

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T18:42:00Z

Weaknesses