CVE-2026-3848

MEDIUM

GitLab CE/EE 8.11-18.7.5, 18.8.x < 18.8.6, 18.9.x < 18.9.2 - Internal Request Forgery via Import

Title source: manual

Description

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to make unintended internal requests through proxy environments under certain conditions due to improper input validation in import functionality.

References (2)

Core 2

Core References

Release Notes

https://about.gitlab.com/releases/2026/03/11/patch-release-gitlab-18-9-2-released/

Various Sources

https://gitlab.com/gitlab-org/gitlab/-/work_items/577298

Scores

CVSS v3 5.0

EPSS 0.0019

EPSS Percentile 8.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-93

Status published

Products (1)

gitlab/gitlab 8.11.0 - 18.7.6 (2 CPE variants)

Published Mar 11, 2026

Tracked Since Mar 11, 2026