LeakyCreds
NewInstant webhook alerts now available ā€” notified within seconds of any credential detection.Learn more ā†’
Home / Vulnerability Intelligence / CVE-2026-3857

CVE-2026-3857 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: March 26, 2026

GitLab CE/EE - Cross Site Request Forgery

Published: March 25, 2026Updated: March 26, 2026Remote Exploitable

Overview

GitLab CE/EE >= 17.10, < 18.8.7, 18.9, < 18.9.3, and 18.10, < 18.10.1 contain a cross site request forgery caused by insufficient CSRF protection in GraphQL mutations, letting unauthenticated attackers execute arbitrary mutations on behalf of authenticated users, exploit requires victim authentication.

Severity & Score

Severity: High
CVSS Score: 8.1
EPSS Score: 0.8%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can execute arbitrary GraphQL mutations as authenticated users, potentially leading to data manipulation or privilege abuse.

Mitigation

Update to versions 18.8.7, 18.9.3, 18.10.1 or later.

References

Social Media Activity(3 posts)

TheHackerWire
TheHackerWire
@thehackerwire
Mar 25, 2026

šŸŸ  CVE-2026-3857 - High (8.1) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an unauthenticated user to execute arbitrary GraphQL mutations on behalf of authen... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-3857/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Mar 25, 2026

šŸŸ  CVE-2026-3857 - High (8.1) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an unauthenticated user to execute arbitrary GraphQL mutations on behalf of authen... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-3857/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Mar 25, 2026

šŸŸ  CVE-2026-3857 - High (8.1) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an unauthenticated user to execute arbitrary GraphQL mutations on behalf of authen... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-3857/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID
CVE-2026-3857
Severity
High
CVSS Score
8.1
Type
cross_site_request_forgery
Status
unconfirmed
EPSS
0.8%
Social Posts
3

CWE

  • CWE-352

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

EPSS Score

0.8%Probability of exploitation in the next 30 days