CVE-2021-4191

MEDIUM EXPLOITED NUCLEI

GitLab GraphQL API User Enumeration

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2021-4191 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 3 public exploits from researchers including K3ysTr0K3R, Adelittle, jbaines-r7, mungsul, including a Metasploit module auxiliary/scanner/http/gitlab_graphql_user_enum. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a Python script that scans for GitLab instances vulnerable to CVE-2021-4191, a user enumeration vulnerability in the GraphQL API. It includes functionality to query the API for usernames and scan IP ranges for exposed endpoints.

Description

An issue has been discovered in GitLab CE/EE affecting versions 13.0 to 14.6.5, 14.7 to 14.7.4, and 14.8 to 14.8.2. Private GitLab instances with restricted sign-ups may be vulnerable to user enumeration to unauthenticated users through the GraphQL API.

Exploits (3)

nomisec SCANNER 8 stars
by K3ysTr0K3R · infoleak
https://github.com/K3ysTr0K3R/CVE-2021-4191-EXPLOIT

This repository contains a Python script that scans for GitLab instances vulnerable to CVE-2021-4191, a user enumeration vulnerability in the GraphQL API. It includes functionality to query the API for usernames and scan IP ranges for exposed endpoints.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: GitLab CE/EE versions 13.0 to 14.6.5, 14.7 to 14.7.4, 14.8 to 14.8.2
No auth needed
Prerequisites: Network access to the target GitLab instance · GraphQL API endpoint exposed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by Adelittle · infoleak
https://github.com/Adelittle/CVE-2021-4191_Exploits

This is a Python script that exploits CVE-2021-4191, a GraphQL API user enumeration vulnerability in GitLab. It queries the GraphQL endpoint to dump user data, including usernames, emails, and other metadata, without requiring authentication.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: GitLab (versions affected by CVE-2021-4191)
No auth needed
Prerequisites: Access to the GitLab GraphQL API endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC
by jbaines-r7, mungsul · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/gitlab_graphql_user_enum.rb

This Metasploit module exploits CVE-2021-4191 to enumerate GitLab users via an unauthenticated GraphQL API query. It handles pagination to retrieve all users and stores the results in the Metasploit database.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: GitLab versions 13.0 to 14.8.2, 14.7.4, and 14.6.5
No auth needed
Prerequisites: Network access to the GitLab instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

GitLab GraphQL API User Enumeration
MEDIUMby zsusac
Shodan: cpe:"cpe:2.3:a:gitlab:gitlab" || http.title:"gitlab"
FOFA: title="gitlab"

References (3)

Core 3
Core References
Permissions Required, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/1089609

Scores

CVSS v3 5.3
EPSS 0.8000
EPSS Percentile 99.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

VulnCheck KEV 2023-11-14
Status published
Products (1)
gitlab/gitlab 13.0.0 - 14.6.5 (2 CPE variants)
Published Mar 28, 2022
Tracked Since Feb 18, 2026