CVE-2026-4922 - Vulnerability Analysis
HighCVSS: 8.1Last Updated: April 22, 2026
GitLab CE/EE - Cross Site Request Forgery
Published: April 22, 2026Updated: April 22, 2026Remote Exploitable
Overview
GitLab CE/EE >= 17.0, < 18.9.6, 18.10 < 18.10.4, and 18.11 < 18.11.1 contain a cross site request forgery caused by insufficient CSRF protection in GraphQL mutations, letting unauthenticated users execute mutations on behalf of authenticated users, exploit requires no authentication.
Severity & Score
Severity: High
CVSS Score: 8.1
Impact
Unauthenticated users can perform actions as authenticated users via GraphQL mutations, potentially leading to unauthorized data modification or access.
Mitigation
Update to versions 18.9.6, 18.10.4, 18.11.1 or later.
References
Related Resources
Details
- CVE ID
- CVE-2026-4922
- Severity
- High
- CVSS Score
- 8.1
- Type
- cross_site_request_forgery
- Status
- unconfirmed
CWE
- CWE-352
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N