theinfosecnews
theinfosecnews
Subscribe to Daily Digest

CVE-2021-39935

CISA KEV

Published February 3, 2026 · Updated April 3, 2026

high

What This Means

# CVE-2021-39935 – GitLab CI Lint SSRF **What it is:** GitLab Community and Enterprise Editions allow unauthenticated attackers to abuse the CI Lint API endpoint to perform server-side request forgery (SSRF) attacks, enabling them to make arbitrary HTTP requests from the GitLab server to internal or external systems. **Impact:** An attacker can probe internal networks, access metadata services (AWS IAM, GCP credentials), retrieve sensitive configuration data, or pivot to backend systems without authentication or GitLab credentials. **Action:** Update GitLab to patched versions (12.0.12, 13.1.11, 13.2.10 or later depending on your branch). Restrict network access to the CI Lint API (`/api/v4/projects/:id/ci/lint`) via firewall rules or WAF until patching is complete. Audit logs for unauthenticated requests to this endpoint.

Official Description+

GitLab Community and Enterprise Editions contain a server-side request forgery vulnerability which could allow unauthorized external users to perform Server Side Requests via the CI Lint API.

Affected Products

VendorProduct
GitLabCommunity and Enterprise Editions

Patch Status

Patch by 2026-02-24

Recommended Actions

  1. Check if your systems use any of the affected products listed above.
  2. Apply vendor patches immediately if available.
  3. This vulnerability is in CISA's Known Exploited Vulnerabilities catalog — prioritize remediation.
  4. Monitor vendor advisories for updates and additional mitigations.
  5. Review logs for indicators of compromise related to CVE-2021-39935.

Related Coverage

Vvulnerability

CVE-2021-39935: Unauthenticated SSRF in GitLab CI Lint API Exposes Internal Services

CVE-2021-39935 is an unauthenticated server-side request forgery (SSRF) vulnerability in the GitLab CI Lint API affecting GitLab Community and Enterprise Editions prior to version 14.3.2. An external attacker with no credentials can force the GitLab server to issue arbitrary HTTP requests, exposing internal services, cloud metadata credentials, and sensitive infrastructure. CISA has added the vulnerability to the Known Exploited Vulnerabilities catalog with a federal patch deadline of February 24, 2026.

CISA KEV·59d ago·3 min read