18.8.7
18.9.3
18.10.1
CVE-2026-3857 is a Cross-Site Request Forgery (CSRF) vulnerability discovered in GitLab Community Edition (CE) and Enterprise Edition (EE). This flaw allows an unauthenticated attacker to execute arbitrary GraphQL mutations, potentially leading to unauthorized data modification or access. The vulnerability affects GitLab versions from 17.10 up to, but not including, 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1. A fix is available in version 18.10.1.
The impact of CVE-2026-3857 is significant due to the ability of an unauthenticated attacker to manipulate GitLab's GraphQL API. Attackers could leverage this to modify project settings, alter user permissions, create or delete projects, or even execute arbitrary code within the GitLab environment, depending on the permissions of the targeted authenticated user. Successful exploitation could result in data breaches, unauthorized access to sensitive information, and complete compromise of GitLab instances. The GraphQL API's flexibility makes it a powerful attack vector, allowing for a wide range of malicious actions. While the vulnerability requires an authenticated user to be present, the attacker does not need to authenticate themselves.
CVE-2026-3857 was published on March 25, 2026. Currently, there are no publicly known active campaigns exploiting this vulnerability. No evidence of exploitation on KEV or EPSS is available at this time. The CVSS score of 8.1 (HIGH) indicates a significant potential for exploitation if left unaddressed. Refer to the official GitLab security advisory for further details and context.
エクスプロイト状況
EPSS
0.01% (1% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-3857 is to immediately upgrade GitLab to version 18.10.1 or later. If upgrading is not immediately feasible, consider implementing stricter CSRF protection measures at the web application firewall (WAF) level. Specifically, configure your WAF to enforce stricter token validation and origin checks for GraphQL requests. Additionally, review and restrict the permissions granted to users within GitLab to minimize the potential impact of a successful attack. After upgrading, confirm the fix by attempting to trigger a GraphQL mutation as an unauthenticated user; the request should be rejected with an authentication error.
GitLab をバージョン 18.8.7、18.9.3、または 18.10.1 以降、または CSRF の脆弱性に対する修正を含む後続のバージョンにアップデートしてください。これにより、認証されていないユーザーが認証されたユーザーの名において任意の GraphQL ミューテーションを実行することを防ぎます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-3857 is a Cross-Site Request Forgery (CSRF) vulnerability in GitLab CE/EE allowing unauthenticated users to execute GraphQL mutations on behalf of authenticated users. It impacts versions 17.10–18.10.1 and has a CVSS score of 8.1 (HIGH).
You are affected if you are running GitLab CE or EE versions 17.10 through 18.10.1. Versions prior to 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 are vulnerable.
Upgrade GitLab to version 18.10.1 or later. As a temporary workaround, implement stricter CSRF protection at your WAF and restrict user permissions.
Currently, there are no publicly known active campaigns exploiting CVE-2026-3857. However, the HIGH severity score indicates a potential for exploitation if left unaddressed.
Refer to the official GitLab security advisory for CVE-2026-3857 on the GitLab security page: [https://gitlab.com/security/advisories/](https://gitlab.com/security/advisories/)
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。