CSRF Vulnerability in GitLab CE/EE Products
CVE-2026-4527

6.5MEDIUM

Key Information:

Vendor: Gitlab
Status: Gitlab
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-4527?

A Cross-Site Request Forgery (CSRF) vulnerability exists in GitLab CE/EE that enables an unauthenticated user to forge unauthorized Jira subscriptions for a user's namespace. This vulnerability arises from inadequate CSRF protection, allowing attackers to exploit it through specially crafted links. Organizations using affected versions should prioritize applying the relevant patches to mitigate the risk.

Affected Version(s)

GitLab 11.10 < 18.9.7

GitLab 18.10 < 18.10.6

GitLab 18.11 < 18.11.3

References

https://gitlab.com/gitlab-org/gitlab/-/work_items/594339

https://hackerone.com/reports/3590487

technical-descriptionexploitpermissions-required

https://about.gitlab.com/releases/2026/05/13/patch-releas...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
Mar 20, 2026

Credit

Thanks [maksyche](https://hackerone.com/maksyche) for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-4527 Data

JSON