GitLab CSRF lets unauth users act as anyone (CVE-2026-4922)

Vendor-confirmed - CVE-2026-4922 is a high-severity CSRF vulnerability in GitLab CE/EE 17.0 through 18.11 that lets unauthenticated attackers execute arbitrary GraphQL mutations on behalf of an authenticated victim. Patch now to versions 18.11.1, 18.10.4, or 18.9.6.

Overview

A high-severity Cross-Site Request Forgery (CSRF) vulnerability in GitLab Community Edition and Enterprise Edition (CVE-2026-4922, CVSS 8.1) allows an unauthenticated attacker to execute GraphQL mutations on behalf of an authenticated victim. The issue affects all GitLab versions from 17.0 through 18.9.5, 18.10.0 through 18.10.3, and 18.11.0.

Technical Details

The vulnerability stems from insufficient CSRF protection in GitLab’s GraphQL endpoint. An attacker can craft a malicious web page or email that, when visited by an authenticated GitLab user, triggers GraphQL mutations as that user. Because the request appears to originate from the victim’s authenticated session, the server processes it without verifying intent.

The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms the attack requires no privileges and has low complexity, though user interaction is required. The severity rating of 8.1 reflects the broad impact of unauthorized GraphQL mutations, which can modify project settings, repositories, user permissions, or other sensitive data.

Affected Versions

• GitLab CE/EE 17.0.0 through 18.9.5
• GitLab CE/EE 18.10.0 through 18.10.3
• GitLab CE/EE 18.11.0

Impact

Successful exploitation enables an attacker to perform any GraphQL mutation the victim user is authorized to execute. This includes creating or deleting projects, modifying repository content, changing user roles, or exfiltrating data through GraphQL queries. The attack bypasses typical authentication controls because it piggybacks on the victim’s valid session.

Remediation

GitLab has released patched versions: 18.11.1, 18.10.4, and 18.9.6. Organizations running any affected version should upgrade immediately. No workarounds are available; the only mitigation is applying the patch.

For self-managed instances, update to the latest available patched version in your release stream. GitLab.com (SaaS) users are already protected - the fix was applied server-side.

Security Insight

This vulnerability illustrates a recurring pattern: API endpoints (especially GraphQL) often lack the same CSRF protections applied to traditional web forms. As more applications expose GraphQL interfaces, vendors must consistently enforce CSRF tokens across all state-changing operations, not just conventional endpoints. GitLab’s rapid patch cycle here is commendable, but the root cause suggests a design oversight that other GraphQL implementations may share. For ongoing threat awareness, monitor security news and review breach reports for related incidents.

Further Reading

• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs