2026-02-03 — GitLab CI Lint API SSRF (CVE-2021-39935)¶

Signal: Added to CISA KEV on 2026-02-03.

Impact (per CISA): Server-Side Request Forgery (SSRF) that could allow unauthorized external users to perform server-side requests via the CI Lint API.

Vendor/Product: GitLab Community and Enterprise Editions

Why this matters¶

SSRF in a CI/API surface is high-leverage because it can be used to: - Reach internal-only services (metadata endpoints, admin panels, service meshes) - Exfiltrate secrets via internal responses - Pivot into RCE depending on what internal targets are reachable

Because it’s in KEV, assume exploitation exists in the wild.

Triage (15–30 minutes)¶

1. Confirm exposure
2. Identify all GitLab instances (self-managed) and whether the GitLab web/API is internet-reachable.

3. Determine whether the CI Lint endpoint is reachable anonymously / with low-priv auth (depends on version/config).

4. Determine version / patch status

5. Check whether you are on a version that includes GitLab’s fix for CVE-2021-39935.

6. Quick risk reduction (if exposed)

7. Restrict access to GitLab (VPN / allowlists) until patched.

Mitigation (do now)¶

1. Apply GitLab’s security release

2. Follow GitLab’s vendor guidance for CVE-2021-39935 (CISA links the release notes).

3. Network egress controls

4. Add egress restrictions from the GitLab application tier:

   • Deny access to cloud metadata IPs (e.g., 169.254.169.254)
   • Deny RFC1918 / internal ranges where possible, except required internal services

5. Harden internal targets

6. Ensure internal services require auth and aren’t relying on “internal network” as the control.

Hunt / detection ideas¶

Focus on unexpected outbound connections originating from GitLab and suspicious requests to the CI Lint endpoint: - Web logs: repeated hits to CI Lint endpoints with unusual payloads/URLs - GitLab logs: requests referencing internal hostnames/IPs, localhost, metadata IPs - Network telemetry: GitLab host making HTTP(S) calls to internal IPs it doesn’t normally contact - Cloud logs: metadata service access attempts from GitLab nodes

If you suspect compromise: - Contain (restrict access / isolate host) while preserving logs - Rotate credentials possibly exposed via SSRF paths (cloud instance profiles, internal service tokens)

References¶

• CISA KEV feed entry (includes GitLab links):
• https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
• GitLab security release referenced by CISA:
• https://about.gitlab.com/releases/2021/12/06/security-release-gitlab-14-5-2-released/
• NVD:
• https://nvd.nist.gov/vuln/detail/CVE-2021-39935