CISA Flags Five-Year-Old GitLab SSRF Flaw as Actively Exploited
CISA has added CVE-2021-39935, a server-side request forgery vulnerability in GitLab's CI Lint API originally patched in December 2021, to its Known Exploited Vulnerabilities catalog after observing renewed active exploitation against unpatched internet-exposed instances.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2021-39935 to its Known Exploited Vulnerabilities (KEV) catalog, warning that attackers are actively exploiting a server-side request forgery (SSRF) flaw in GitLab Community and Enterprise editions that was first patched over four years ago. Federal agencies were given until February 24, 2026 to remediate under Binding Operational Directive 22-01.
Vulnerability Details
CVE-2021-39935 is rated CVSS 6.8 (Medium) and resides in GitLab\'s CI Lint API, a feature used to validate CI/CD pipeline configuration files. The flaw stems from improper validation of user-supplied URLs, allowing unauthenticated remote attackers to send crafted requests from the GitLab server to internal or external systems — a classic SSRF pattern that can be used to enumerate internal services, steal cloud metadata credentials, or chain into deeper exploitation paths.
Affected versions span a wide range: all GitLab CE/EE releases from 10.5 through 14.3.5, 14.4 through 14.4.3, and 14.5 through 14.5.1. GitLab shipped patches in versions 14.3.6, 14.4.4, and 14.5.2 in December 2021.
Exposure Scale and Risk
Security researchers have identified more than 49,000 internet-exposed GitLab instances. While many have been patched over the intervening years, the addition to the KEV catalog signals that a meaningful number remain vulnerable and are being actively targeted. GitLab instances often hold source code, secrets, CI/CD pipeline credentials, and container registry access — making them high-value targets for supply chain attacks.
Recommended Actions
Any organization running a self-managed GitLab instance should immediately verify the installed version and upgrade to a supported release. GitLab currently recommends running the latest patch in a supported major version branch. For instances that cannot be patched immediately, restricting access to the CI Lint API endpoint at the network perimeter provides a partial mitigation. CISA strongly recommends that private-sector organizations treat the February 24 deadline as equally applicable to their own remediation timelines.
Related Articles
Cloudflare 2026 Threat Report: 230 Billion Daily Blocked Threats and the Rise of Credential Attacks
Cloudflare has published its inaugural annual threat report revealing the company blocks over 230 billion threats daily across 20% of global web traffic. DDoS attacks doubled year-over-year to 47.1 million incidents, with the largest reaching a record 31.4 Tbps, while bots now account for 94% of all login attempts.
HashiCorp Patches Consul Arbitrary File Read Vulnerability in Kubernetes Auth
HashiCorp has released emergency patches for Consul to address CVE-2026-2808, a medium-severity vulnerability allowing arbitrary file reads when Kubernetes authentication is enabled. The fix also adds HTTP server timeouts to prevent Slowloris denial-of-service attacks against Consul agent endpoints.
Let's Encrypt Now Issues Six-Day Certificates and IP Address Certificates via Certbot
Let's Encrypt and the EFF have announced support for six-day (160-hour) certificates and IP address certificates through Certbot 5.3 and 5.4. The ultra-short-lived certificates reduce the impact window of compromised keys by design, while IP address certificates enable HTTPS for services identified by address rather than hostname.