Description
GitLab has remediated an issue in GitLab EE affecting all versions from 18.8 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with control of a virtual registry upstream to make requests to internal hosts due to improper validation.
Published: 2026-05-14
Score: 3.5 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a server‑side request forgery (SSRF) in the virtual registry component of GitLab Enterprise Edition. An authenticated user who controls the upstream registry configuration can cause GitLab to send HTTP requests to arbitrary internal hosts that are normally unreachable from the public internet. This occurs because the upstream URL is not properly validated, allowing an attacker to probe internal services, potentially exfiltrate data or further compromise the internal network. The weakness is identified as CWE‑918.

Affected Systems

The affected vendor is GitLab. All GitLab Enterprise Edition releases from 18.8, 18.10, and 18.11 prior to the patch versions 18.9.7, 18.10.6, and 18.11.3 respectively are vulnerable. Newer releases beyond those versions are not affected.

Risk and Exploitability

The CVSS score is 3.5, indicating low overall severity, and there is no EPSS score available. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires an authenticated user with control over virtual registry upstream configuration, so an internal attacker or a compromised user account could exploit it. Without an upgrade, an attacker could make GitLab send requests to internal services, potentially revealing sensitive information or enabling further lateral movement within the internal network.

Generated by OpenCVE AI on May 14, 2026 at 07:27 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.9.7, 18.10.6, 18.11.3 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab Enterprise Edition to version 18.9.7, 18.10.6, 18.11.3 or later, which removes the SSRF flaw.
  • Limit virtual registry upstream configurations to trusted hosts and domains, reducing the potential for an attacker to direct requests to internal resources.
  • Regularly monitor GitLab logs for unexpected outbound requests or DNS lookups that may indicate abuse of the virtual registry feature.

Generated by OpenCVE AI on May 14, 2026 at 07:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Thu, 14 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 06:00:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab EE affecting all versions from 18.8 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with control of a virtual registry upstream to make requests to internal hosts due to improper validation.
Title Server-Side Request Forgery (SSRF) in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-918
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-05-14T13:17:54.408Z

Reserved: 2026-04-29T19:33:48.970Z

Link: CVE-2026-7471

cve-icon Vulnrichment

Updated: 2026-05-14T13:17:51.248Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-14T06:16:25.477

Modified: 2026-05-14T18:50:47.943

Link: CVE-2026-7471

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T08:45:16Z

Weaknesses