Cette page n'a pas encore été traduite dans votre langue. Affichage du contenu en anglais pendant que nous y travaillons.

💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.

MEDIUMCVE-2026-4527CVSS 6.5

CVE-2026-4527: CSRF in GitLab Allows Unauthorized Jira Subscriptions

Plateforme

gitlab

Composant

gitlab

Corrigé dans

18.11.3

Voir sur NVD

Sauvegarder

Traduction vers votre langue…

CVE-2026-4527 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in GitLab Community Edition (CE) and Enterprise Edition (EE). This flaw allows an unauthenticated attacker to create unauthorized Jira subscriptions for a targeted user's namespace by exploiting a lack of CSRF protection. The vulnerability impacts GitLab versions from 11.10.0 through 18.11.3, with a fix available in version 18.11.3.

Impact et Scénarios d'Attaquetraduction en cours…

The primary impact of CVE-2026-4527 is the potential for unauthorized Jira subscriptions to be created within a GitLab instance. An attacker could craft a malicious link and, if a targeted user clicks it, automatically subscribe that user's namespace to a Jira instance controlled by the attacker. This could lead to sensitive data being inadvertently shared with the attacker's Jira system, potentially exposing project information, code, and other confidential details. While the vulnerability requires user interaction (clicking a malicious link), the lack of authentication needed to trigger the subscription significantly broadens the attack surface. This is similar to other CSRF vulnerabilities where user actions are leveraged to perform unauthorized operations.

Contexte d'Exploitationtraduction en cours…

CVE-2026-4527 was published on May 14, 2026. Its severity is rated as MEDIUM (CVSS 6.5). No public Proof-of-Concept (POC) exploits have been identified at the time of writing. There are no indications of active campaigns targeting this vulnerability. Monitor GitLab security advisories and CISA alerts for any updates regarding exploitation attempts.

Renseignement sur les Menaces

Statut de l'Exploit

Preuve de ConceptInconnu

CISA KEVNO

Exposition InternetÉlevée

CISA SSVC

Exploitationnone

Automatisableno

Impact Techniquepartial

Vecteur CVSS

Que signifient ces métriques?

Attack Vector: Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
Attack Complexity: Faible — aucune condition spéciale requise. Exploitable de manière fiable.
Privileges Required: Aucun — sans authentification. Aucune identifiant requis pour exploiter.
User Interaction: Requise — la victime doit ouvrir un fichier, cliquer sur un lien ou visiter une page.
Scope: Inchangé — impact limité au composant vulnérable.
Confidentiality: Élevé — perte totale de confidentialité. L'attaquant peut lire toutes les données.
Integrity: Aucun — aucun impact sur l'intégrité.
Availability: Aucun — aucun impact sur la disponibilité.

Logiciel Affecté

Composantgitlab

FournisseurGitLab

Version minimale11.10.0

Version maximale18.11.3

Corrigé dans18.11.3

Classification de Faiblesse (CWE)

CWE-352

Chronologie

Réservé2026-03-20
Publiée2026-05-14

Mitigation et Contournementstraduction en cours…

The primary mitigation for CVE-2026-4527 is to upgrade GitLab to version 18.11.3 or later. This version includes the necessary CSRF protection to prevent unauthorized Jira subscriptions. If immediate upgrading is not possible, consider implementing a Web Application Firewall (WAF) rule to block requests containing the vulnerable Jira subscription endpoint. Carefully review user permissions and access controls within GitLab to minimize the potential impact if the vulnerability is exploited before patching. There are no specific rollback steps beyond reverting to a previous, patched GitLab version.

Comment corrigertraduction en cours…

Actualice GitLab a la versión 18.9.7 o posterior, 18.10.6 o posterior, o 18.11.3 o posterior para mitigar la vulnerabilidad CSRF. Esta actualización corrige la falta de protección CSRF que permitía la creación de suscripciones de Jira no autorizadas.

Questions fréquentestraduction en cours…

What is CVE-2026-4527 — CSRF in GitLab?

CVE-2026-4527 is a Cross-Site Request Forgery (CSRF) vulnerability in GitLab CE/EE allowing unauthenticated users to create unauthorized Jira subscriptions for a targeted user's namespace.

Am I affected by CVE-2026-4527 in GitLab?

You are affected if you are running GitLab CE or EE versions 11.10.0 through 18.11.3. Upgrade to version 18.11.3 or later to resolve the issue.

How do I fix CVE-2026-4527 in GitLab?

Upgrade GitLab to version 18.11.3 or later. As a temporary workaround, implement a WAF rule to block requests to the vulnerable Jira subscription endpoint.

Is CVE-2026-4527 being actively exploited?

There are currently no indications of active exploitation campaigns targeting CVE-2026-4527, but continuous monitoring is recommended.

Where can I find the official GitLab advisory for CVE-2026-4527?

Refer to the official GitLab security advisory for CVE-2026-4527 on the GitLab blog: [https://about.gitlab.com/security/advisories/](https://about.gitlab.com/security/advisories/)

Ton projet est-il affecté ?

Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.

Scanner gratuitement Rechercher des CVE

en directfree scan

Essayez maintenant — sans compte

scanZone.subtitle

Scan manuelSlack/email alertsContinuous monitoringWhite-label reports

Glissez-déposez votre fichier de dépendances

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...

Parcourir les fichiers