Threat Intelligence / CVE / CVE-2021-39935

CVE-2021-39935

CISA KEV

CVSS 6.8 (MEDIUM) · EPSS 41.4% · Published 2021-12-13

An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.5 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Unauthorized external users could perform Server Side Requests via the CI Lint API

CVSS v3 vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

Weaknesses (CWE)

CWE-918

Threats tracking this CVE

GitLab CI Lint API SSRF — CVE-2021-39935 Patch Bypass, CISA KEV Feb 2026, Cloud Metadata Theft, Internal Service Enumeration, 4-Year Exploitation Gap on Self-Managed Instances — HIGH

References

https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39935.json
https://gitlab.com/gitlab-org/gitlab/-/issues/346187
https://hackerone.com/reports/1236965
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39935.json
https://gitlab.com/gitlab-org/gitlab/-/issues/346187
https://hackerone.com/reports/1236965
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-39935

Full detection coverage & IOCs for threats exploiting CVE-2021-39935 are available via the Threadlinqs MCP server (Purple tier). View plans →

Markdown version · Threadlinqs Intelligence