Platform
gitlab
Component
gitlab
Fixed in
18.8.7
18.9.3
18.10.1
CVE-2026-3857 is a Cross-Site Request Forgery (CSRF) vulnerability discovered in GitLab Community Edition (CE) and Enterprise Edition (EE). This flaw allows an unauthenticated attacker to execute arbitrary GraphQL mutations, potentially leading to unauthorized data modification or access. The vulnerability affects GitLab versions from 17.10 up to, but not including, 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1. A fix is available in version 18.10.1.
The impact of CVE-2026-3857 is significant due to the ability of an unauthenticated attacker to manipulate GitLab's GraphQL API. Attackers could leverage this to modify project settings, alter user permissions, create or delete projects, or even execute arbitrary code within the GitLab environment, depending on the permissions of the targeted authenticated user. Successful exploitation could result in data breaches, unauthorized access to sensitive information, and complete compromise of GitLab instances. The GraphQL API's flexibility makes it a powerful attack vector, allowing for a wide range of malicious actions. While the vulnerability requires an authenticated user to be present, the attacker does not need to authenticate themselves.
CVE-2026-3857 was published on March 25, 2026. Currently, there are no publicly known active campaigns exploiting this vulnerability. No evidence of exploitation on KEV or EPSS is available at this time. The CVSS score of 8.1 (HIGH) indicates a significant potential for exploitation if left unaddressed. Refer to the official GitLab security advisory for further details and context.
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-3857 is to immediately upgrade GitLab to version 18.10.1 or later. If upgrading is not immediately feasible, consider implementing stricter CSRF protection measures at the web application firewall (WAF) level. Specifically, configure your WAF to enforce stricter token validation and origin checks for GraphQL requests. Additionally, review and restrict the permissions granted to users within GitLab to minimize the potential impact of a successful attack. After upgrading, confirm the fix by attempting to trigger a GraphQL mutation as an unauthenticated user; the request should be rejected with an authentication error.
Actualice GitLab a la versión 18.8.7, 18.9.3 o 18.10.1, o a una versión posterior que contenga la corrección para la vulnerabilidad CSRF. Esto evitará que usuarios no autenticados ejecuten mutaciones GraphQL arbitrarias en nombre de usuarios autenticados.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-3857 is a Cross-Site Request Forgery (CSRF) vulnerability in GitLab CE/EE allowing unauthenticated users to execute GraphQL mutations on behalf of authenticated users. It impacts versions 17.10–18.10.1 and has a CVSS score of 8.1 (HIGH).
You are affected if you are running GitLab CE or EE versions 17.10 through 18.10.1. Versions prior to 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 are vulnerable.
Upgrade GitLab to version 18.10.1 or later. As a temporary workaround, implement stricter CSRF protection at your WAF and restrict user permissions.
Currently, there are no publicly known active campaigns exploiting CVE-2026-3857. However, the HIGH severity score indicates a potential for exploitation if left unaddressed.
Refer to the official GitLab security advisory for CVE-2026-3857 on the GitLab security page: [https://gitlab.com/security/advisories/](https://gitlab.com/security/advisories/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.