CVE-2021-39935

MEDIUM KEV

Gitlab < 14.3.6 - SSRF

Title source: rule

Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.5 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Unauthorized external users could perform Server Side Requests via the CI Lint API

References (4)

[Third Party Advisory] https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39935.json

View Writeup ZIP pw:eip

[Issue Tracking, Vendor Advisory] https://gitlab.com/gitlab-org/gitlab/-/issues/346187

[Permissions Required, Third Party Advisory] https://hackerone.com/reports/1236965

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-39935

Scores

CVSS v3 6.8

EPSS 0.5841

EPSS Percentile 98.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

Details

CISA KEV 2026-02-03

VulnCheck KEV 2025-03-11

ENISA EUVD EUVD-2021-26291

CWE

CWE-918

Status published

Products (1)

gitlab/gitlab 10.5.0 - 14.3.6 (2 CPE variants)

Published Dec 13, 2021

KEV Added Feb 03, 2026

Tracked Since Feb 18, 2026