HIGHCVE-2026-4922Published 2026-04-22Modified 2026-04-24CNA GitLab

CVE-2026-4922: Cross-Site Request Forgery (CSRF) in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.0 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed an unauthenticated user to execute GraphQL mutations on behalf of authenticated users due to insufficient CSRF protection.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: 18.9.6
Affected Products: 1

Fix available

18.9.618.10.418.11.1

Affected packages

GitLab / GitLab
< 18.9.6 (from 17.0) · < 18.10.4 (from 18.10) · < 18.11.1 (from 18.11)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

References

gitlab.com
HackerOne Bug Bounty Report #3627285
about.gitlab.com

Metrics

Fix available