Cyber Resilience

CVE-2021-39935

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 13 December 2021

Published
13 December 2021
Modified
04 February 2026
KEV Added
03 February 2026
Patch
CVSS Score v3.1 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.6453 98.5th percentile
Risk Priority 72 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-39935 is a medium-severity SSRF (CWE-918) vulnerability in Gitlab Gitlab. Its CVSS base score is 6.8 (Medium).

Operationally, ranked in the top 1.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2021-39935 is a server-side request forgery vulnerability tracked under CWE-918 that affects the CI Lint API in GitLab Community Edition and Enterprise Edition. The flaw impacts all versions from 10.5 up to but not including 14.3.6, all versions from 14.4 up to but not including 14.4.4, and all versions from 14.5 up to but not including 14.5.2. It carries a CVSS 3.1 score of 6.8 with the vector AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N.

Unauthorized external users can exploit the issue by submitting crafted requests to the CI Lint API, enabling them to initiate server-side requests to arbitrary internal or external resources. This allows potential access to sensitive data or internal services that would otherwise be unreachable from outside the network.

Public advisories and the associated GitLab issue direct users to upgrade to the fixed releases 14.3.6, 14.4.4, or 14.5.2 (or later) to remediate the vulnerability. No additional configuration changes or workarounds are specified in the provided references.

EU & UK References

Vulnerability details

An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.5 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Unauthorized external users could perform Server Side Requests via the…

more

CI Lint API

CWE(s)
KEV Date Added
03 February 2026

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

gitlab
gitlab
10.5.0 — 14.3.6 · 10.5.0 — 14.3.6 · 14.4.0 — 14.4.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces authorization checks on the CI Lint API so that only permitted users can submit requests, directly blocking the unauthorized external user path described in the CVE.

prevent

Requires validation of all inputs to the CI Lint API (especially URLs/targets), preventing crafted SSRF payloads from being accepted and processed.

prevent

Boundary-protection mechanisms can restrict the application server's ability to initiate arbitrary outbound requests to internal or external resources, limiting SSRF impact.

References