GitLab
Moderate fix3 remedies
cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*, +2 more
Moderate fix3 remedies
- >= 17.0, < 18.9.6
- >= 18.10, < 18.10.4
- >= 18.11, < 18.11.1
GitLab CE/EE Cross-Site Request Forgery Vulnerability in GraphQL API
Vulnerability
Patched
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the GitLab Community Edition (CE) and Enterprise Edition (EE) GraphQL API. This issue affects all versions from 17.0 prior to 18.9.6, 18.10 prior to 18.10.4, and 18.11 prior to 18.11.1. The vulnerability could have allowed an unauthenticated user to execute GraphQL mutations on behalf of authenticated users, due to inadequate CSRF protection.
Impact
Exploitation of this vulnerability could have led to unauthorized execution of GraphQL mutations, allowing attackers to perform actions on behalf of authenticated users.
Remediation
Users are advised to upgrade to GitLab versions 18.11.1, 18.10.4, or 18.9.6. Instructions for updating GitLab can be found on the GitLab Update page. For GitLab Runner, refer to the Updating the Runner page.
Added: Apr 22, 2026, 5:23 PM
Updated: Apr 22, 2026, 5:23 PM
Vulnerability Rating
Custom Algorithm
spread
7.3impact
0.6exploitability
5.8remediation
7.7relevance
6.2threat
0.0urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.