A critical GitLab vulnerability has been added to the Known Exploited Vulnerabilities (KEV) catalog. Threat actors are actively exploiting a server-side request forgery (SSRF) flaw in GitLab Community and Enterprise editions.
The vulnerability, tracked as CVE-2021-39935, poses significant risks to organizations using affected versions of GitLab.
The SSRF vulnerability allows unauthorized external attackers to perform server-side requests through GitLab’s CI Lint API.
This API is typically used to validate GitLab CI/CD configuration files. However, the security flaw enables malicious actors to abuse it to send crafted requests from the GitLab server to internal or external systems.
Server-side request forgery attacks are hazardous because they allow attackers to bypass network security controls and access internal resources that would otherwise be unreachable from outside the network.
| Field | Details |
|---|---|
| Product | GitLab Community & Enterprise |
| CVE ID | CVE-2021-39935 |
| Type | SSRF |
| Description | SSRF flaw via CI Lint API enabling unauthorized server-side requests |
| CWE | CWE-918 |
Exploiting this vulnerability could enable threat actors to scan internal networks, access sensitive data from cloud metadata services, or interact with internal APIs that lack proper authentication.
CISA’s decision to include CVE-2021-39935 in the KEV catalog on February 3, 2026, indicates that security researchers or government agencies have observed active exploitation attempts in real-world attacks.
While specific attack campaigns have not been publicly disclosed, the agency’s warning suggests that malicious actors are leveraging this vulnerability against vulnerable GitLab instances.
The vulnerability affects both Community and Enterprise editions of GitLab, meaning organizations of all sizes running these versions could be at risk.
Given GitLab’s widespread use in DevOps environments for source code management and CI/CD pipelines, compromised instances could provide attackers with access to critical development infrastructure and source code repositories.
Federal agencies under CISA’s Binding Operational Directive (BOD) 22-01 must remediate this vulnerability by February 24, 2026.
All organizations using affected GitLab versions should immediately apply security patches provided by GitLab.
If patches cannot be applied promptly, administrators should implement vendor-provided workarounds or temporarily turn off the CI Lint API functionality.
Organizations should also review their GitLab access logs for suspicious activity patterns that might indicate exploitation attempts.
Including unusual API requests to the CI Lint endpoint or unexpected outbound connections from GitLab servers.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
