{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3857", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "state": "PUBLISHED", "assignerShortName": "GitLab", "dateReserved": "2026-03-09T21:03:55.281Z", "datePublished": "2026-03-25T16:33:53.854Z", "dateUpdated": "2026-03-26T13:20:03.781Z"}, "containers": {"cna": {"title": "Cross-Site Request Forgery (CSRF) in GitLab", "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an unauthenticated user to execute arbitrary GraphQL mutations on behalf of authenticated users due to insufficient CSRF protection."}], "affected": [{"vendor": "GitLab", "product": "GitLab", "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", "cpes": ["cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"], "versions": [{"version": "17.10", "status": "affected", "lessThan": "18.8.7", "versionType": "semver"}, {"version": "18.9", "status": "affected", "lessThan": "18.9.3", "versionType": "semver"}, {"version": "18.10", "status": "affected", "lessThan": "18.10.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/592828"}, {"url": "https://hackerone.com/reports/3584382", "name": "HackerOne Bug Bounty Report #3584382", "tags": ["technical-description", "exploit", "permissions-required"]}, {"url": "https://about.gitlab.com/releases/2026/03/25/patch-release-gitlab-18-10-1-released/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH"}}], "solutions": [{"lang": "en", "value": "Upgrade to versions 18.8.7, 18.9.3, 18.10.1 or above."}], "credits": [{"lang": "en", "value": "Thanks [ahacker1](https://hackerone.com/ahacker1) for reporting this vulnerability through our HackerOne bug bounty program", "type": "finder"}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2026-03-25T16:33:53.854Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T03:55:34.505033Z", "id": "CVE-2026-3857", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T13:20:03.781Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3857", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "state": "PUBLISHED", "assignerShortName": "GitLab", "dateReserved": "2026-03-09T21:03:55.281Z", "datePublished": "2026-03-25T16:33:53.854Z", "dateUpdated": "2026-03-26T13:20:03.781Z"}, "containers": {"cna": {"title": "Cross-Site Request Forgery (CSRF) in GitLab", "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an unauthenticated user to execute arbitrary GraphQL mutations on behalf of authenticated users due to insufficient CSRF protection."}], "affected": [{"vendor": "GitLab", "product": "GitLab", "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", "cpes": ["cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"], "versions": [{"version": "17.10", "status": "affected", "lessThan": "18.8.7", "versionType": "semver"}, {"version": "18.9", "status": "affected", "lessThan": "18.9.3", "versionType": "semver"}, {"version": "18.10", "status": "affected", "lessThan": "18.10.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/592828"}, {"url": "https://hackerone.com/reports/3584382", "name": "HackerOne Bug Bounty Report #3584382", "tags": ["technical-description", "exploit", "permissions-required"]}, {"url": "https://about.gitlab.com/releases/2026/03/25/patch-release-gitlab-18-10-1-released/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH"}}], "solutions": [{"lang": "en", "value": "Upgrade to versions 18.8.7, 18.9.3, 18.10.1 or above."}], "credits": [{"lang": "en", "value": "Thanks [ahacker1](https://hackerone.com/ahacker1) for reporting this vulnerability through our HackerOne bug bounty program", "type": "finder"}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2026-03-25T16:33:53.854Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3857", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T03:55:34.505033Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T13:20:00.477Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an unauthenticated user to execute arbitrary GraphQL mutations on behalf of authenticated users due to insufficient CSRF protection."}], "id": "CVE-2026-3857", "lastModified": "2026-03-26T15:13:15.790", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "cve@gitlab.com", "type": "Secondary"}]}, "published": "2026-03-25T17:17:09.387", "references": [{"source": "cve@gitlab.com", "url": "https://about.gitlab.com/releases/2026/03/25/patch-release-gitlab-18-10-1-released/"}, {"source": "cve@gitlab.com", "url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/592828"}, {"source": "cve@gitlab.com", "url": "https://hackerone.com/reports/3584382"}], "sourceIdentifier": "cve@gitlab.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "cve@gitlab.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[17.10,18.8.7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[18.9,18.9.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[18.10,18.10.1)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "GitLab", "source": "cna", "vendor": "GitLab"}, "product": "gitlab", "vendor": "gitlab"}], "analysis": {"en": {"generated_at": "2026-03-25T19:10:01.366550+00:00", "value": {"mitigation_remediation": ["Upgrade GitLab to version 18.8.7, 18.9.3, 18.10.1 or any newer release that includes the CSRF fix.", "Verify the GraphQL endpoint is no longer accessible without a valid CSRF token by testing or reviewing deployment logs.", "If an immediate upgrade is not feasible, block or restrict direct access to the GraphQL API using network controls or application firewall rules.", "Monitor GitLab logs for anomalous mutation activity and ensure user account activity is consistent."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized GraphQL mutation execution"}, "threat_synthesis": {"affected_systems": "All GitLab Community Edition and Enterprise Edition installations from version 17.10 up to, but not including, 18.8.7, from 18.9 up to, but not including, 18.9.3, and from 18.10 up to, but not including, 18.10.1 are affected. Users running any of these versions should verify their installation and apply the recommended update.", "description_and_impact": "The vulnerability arises from insufficient CSRF protection in GitLab\u2019s GraphQL interface, allowing an unauthenticated attacker to forge requests that execute arbitrary mutations on behalf of an authenticated user. This flaw can enable the attacker to modify, delete, or create data, potentially compromising the integrity of the system and exposing confidential information. The weakness aligns with CWE\u2011352, an improper validation of cross\u2011site request forgery.", "risk_and_exploitability": "The CVSS score of 8.1 indicates a high severity with potential for significant impact. Although EPSS data is not available, the exposure of an unrestricted CSRF entry point suggests that the vulnerability may be exploitable by attackers leveraging authenticated users\u2019 sessions. The lack of a KEV listing does not diminish the risk, and the attack can be carried out simply by embedding malicious content in a web page that a victim with active login to GitLab visits. The compromised account could then have its data altered without further credentials from the attacker."}}}}, "created": "2026-03-25T21:46:54.230392+00:00", "updated": "2026-03-26T11:34:36.935725+00:00", "vendors": ["gitlab", "gitlab$PRODUCT$gitlab"]}