⚠ Actively exploited
Added to CISA KEV on 2026-02-03. Federal agencies required to patch by 2026-02-24. Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable..
CVE-2021-39935 — Server-Side Request Forgery in Gitlab
Severity
7.5HIGHNVD
VulnCheck6.8
EPSS
65.7%
top 1.49%
CISA KEV
KEV
Added 2026-02-03
Due 2026-02-24
Exploit
PoC available
Public exploit / PoC exists
Affected products
Timeline
PublishedDec 13
KEV addedFeb 3
Latest updateFeb 4
KEV dueFeb 24
CISA Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Description
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.5 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Unauthorized external users could perform Server Side Requests via the CI Lint API
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6
Affected Packages5 packages
🔴Vulnerability Details
3💥Exploits & PoCs
1Nuclei▶
Gitlab CE/EE 10.5 - Server-Side Request Forgery
📋Vendor Advisories
3CISA▶
GitLab Community and Enterprise Editions Server-Side Request Forgery (SSRF) Vulnerability↗2026-02-03
GitLab▶
CVE-2021-39935: An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.5 before 14.3.6, all versions starting from 14.4 before 14.4.4, a↗2021-12-13
Debian▶
CVE-2021-39935: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro...↗2021