Key Takeaway
CVE-2021-39935 is an unauthenticated server-side request forgery (SSRF) vulnerability in the CI Lint API of GitLab Community and Enterprise Editions. Attackers can exploit the flaw to proxy arbitrary HTTP requests through the GitLab server, enabling access to internal services and cloud metadata endpoints without credentials. CISA mandates federal agency remediation by February 24, 2026, and organizations should upgrade GitLab or block the affected endpoint immediately.
CVE-2021-39935: GitLab CI Lint API SSRF Allows Unauthenticated Internal Network Access
Affected Product
Vendor: GitLab
Products: GitLab Community Edition (CE) and Enterprise Edition (EE)
CVE ID: CVE-2021-39935
Vulnerability Type: Server-Side Request Forgery (SSRF)
Attack Vector: Network (unauthenticated remote exploitation)
CISA KEV Patch Deadline: 2026-02-24 (federal agencies)
Technical Description
CVE-2021-39935 is a server-side request forgery vulnerability in the CI Lint API of GitLab Community Edition and Enterprise Edition. The flaw resides in the endpoint used to validate .gitlab-ci.yml configurations — specifically the POST /api/v4/projects/*/ci/lint API route.
The vulnerability permits unauthenticated external users to submit crafted requests that cause the GitLab server to issue arbitrary outbound HTTP requests on their behalf. No authentication token or session cookie is required to trigger the behavior. The GitLab server acts as a proxy, forwarding attacker-controlled requests to destinations reachable from the server's network position.
SSRF vulnerabilities of this class are particularly dangerous when the hosting environment has privileged access to internal infrastructure — a common condition in enterprise GitLab deployments where the server sits inside a corporate network or cloud VPC.
Real-World Impact
An unauthenticated attacker exploiting CVE-2021-39935 can:
-
Bypass network segmentation. The attacker routes requests through the GitLab server to reach internal services that are not exposed to the public internet — databases, internal APIs, admin dashboards, and monitoring systems.
-
Access cloud metadata endpoints. In AWS, GCP, or Azure-hosted environments, the attacker can query instance metadata services (e.g.,
http://169.254.169.254/) to retrieve IAM credentials, access tokens, and environment configuration data. Successful retrieval of cloud credentials from a metadata service can lead to full cloud account compromise. -
Enumerate internal infrastructure. The attacker uses the GitLab server as a pivot point to map internal services by probing RFC 1918 address ranges and observing timing or response differences.
-
Exfiltrate sensitive data. Internal services that trust requests originating from the GitLab server — particularly those on the same network segment — may return sensitive data without additional authentication challenges.
The absence of an authentication requirement amplifies exposure. Any internet-facing GitLab instance running an affected version is a viable target without any prior credential compromise or account access. Organizations running GitLab on cloud infrastructure with instance metadata services enabled are at highest risk of credential theft and lateral movement.
CISA has added CVE-2021-39935 to the Known Exploited Vulnerabilities (KEV) catalog, mandating that federal civilian executive branch (FCEB) agencies remediate by February 24, 2026. Inclusion in the KEV catalog reflects confirmed exploitation activity, not merely theoretical risk.
Affected Versions
All GitLab CE and EE versions prior to the vendor's patched releases are affected. Organizations should consult the GitLab security advisory to confirm whether their installed version falls within the vulnerable range and identify the appropriate upgrade target.
Patching and Mitigation Guidance
1. Patch immediately.
Upgrade GitLab CE or EE to the vendor-released patched version. This is the only complete remediation. Prioritize instances exposed to the public internet or hosted in cloud environments with metadata service access.
2. Disable the CI Lint API endpoint if patching is delayed.
If an immediate upgrade is not operationally feasible, block or disable the vulnerable endpoint at the reverse proxy or WAF layer. Drop or reject POST requests to /api/v4/projects/*/ci/lint from external IP addresses until the patch is applied.
3. Restrict outbound network access from GitLab servers.
Apply egress firewall rules to limit outbound connections from GitLab servers to only explicitly required internal services. Block access to cloud metadata IP ranges (169.254.169.254, fd00:ec2::254) from the GitLab host.
4. Monitor for exploitation indicators.
Review web server and application logs for anomalous POST requests targeting /api/v4/projects/*/ci/lint originating from external IP addresses. Flag requests containing internal IP addresses, localhost, or metadata service URLs in the request body.
5. Audit cloud IAM credentials.
For GitLab instances hosted on AWS, GCP, or Azure, audit recent access to instance metadata services and rotate any credentials that may have been exposed. Check CloudTrail, Cloud Audit Logs, or Azure Monitor for anomalous API calls using instance-derived credentials.
6. Enforce authentication on the CI Lint API.
After patching, verify that your GitLab configuration requires authentication for API access where feasible, and review API exposure through any reverse proxy configurations.
Summary
CVE-2021-39935 is an unauthenticated SSRF in GitLab CE and EE's CI Lint API that enables attackers to proxy arbitrary HTTP requests through the GitLab server. The primary risk is internal network access and cloud credential theft. Federal agencies face a CISA-mandated remediation deadline of February 24, 2026. All organizations running affected GitLab versions should patch or apply endpoint-level mitigations without delay.
Original Source
CISA KEV
Related Articles
CVE Pending: Critical Vulnerability in Anthropic's Claude Code Discovered Days After Source Code Leak
Adversa AI discovered a critical vulnerability in Anthropic's Claude Code agentic coding assistant within days of Anthropic accidentally leaking the product's source code. Claude Code operates with elevated system privileges in developer environments, making exploitation potentially severe — including credential theft, CI/CD pipeline manipulation, and lateral movement. Organizations should audit deployments, rotate credentials, and apply patches immediately once Anthropic releases a fix.
CVE-2024-6387: OpenSSH regreSSHion RCE Flaw Exposes Millions of Linux Servers to Unauthenticated Root Access
CVE-2024-6387 (regreSSHion) is a signal handler race condition in OpenSSH sshd versions 8.5p1 through 9.7p1 that allows unauthenticated remote code execution as root. Discovered by Qualys, the flaw affects an estimated 700,000 publicly exposed servers. Administrators should upgrade to OpenSSH 9.8p1 immediately or set LoginGraceTime 0 as a temporary workaround.
CVE-2021-39935: Unauthenticated SSRF in GitLab CI Lint API Exposes Internal Services
CVE-2021-39935 is an unauthenticated server-side request forgery (SSRF) vulnerability in the GitLab CI Lint API affecting GitLab Community and Enterprise Editions prior to version 14.3.2. An external attacker with no credentials can force the GitLab server to issue arbitrary HTTP requests, exposing internal services, cloud metadata credentials, and sensitive infrastructure. CISA has added the vulnerability to the Known Exploited Vulnerabilities catalog with a federal patch deadline of February 24, 2026.
Apple Expands DarkSword Exploit Kit Mitigations Across Device Fleet After State-Sponsored and Spyware Vendor Abuse
Apple has expanded mitigations against the DarkSword exploit kit to additional devices after the toolkit was used in operations by state-sponsored threat groups and commercial spyware vendors. The expansion follows Apple's standard model of phased protection rollouts across its device ecosystem. All Apple device owners should apply the latest OS updates immediately, and high-risk individuals should enable Lockdown Mode.