Esta página ainda não foi traduzida para o seu idioma. Exibindo conteúdo em inglês enquanto trabalhamos nisso.
💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.
CVE-2026-4527: CSRF in GitLab Allows Unauthorized Jira Subscriptions
Plataforma
gitlab
Componente
gitlab
Corrigido em
18.11.3
CVE-2026-4527 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in GitLab Community Edition (CE) and Enterprise Edition (EE). This flaw allows an unauthenticated attacker to create unauthorized Jira subscriptions for a targeted user's namespace by exploiting a lack of CSRF protection. The vulnerability impacts GitLab versions from 11.10.0 through 18.11.3, with a fix available in version 18.11.3.
Impacto e Cenários de Ataquetraduzindo…
The primary impact of CVE-2026-4527 is the potential for unauthorized Jira subscriptions to be created within a GitLab instance. An attacker could craft a malicious link and, if a targeted user clicks it, automatically subscribe that user's namespace to a Jira instance controlled by the attacker. This could lead to sensitive data being inadvertently shared with the attacker's Jira system, potentially exposing project information, code, and other confidential details. While the vulnerability requires user interaction (clicking a malicious link), the lack of authentication needed to trigger the subscription significantly broadens the attack surface. This is similar to other CSRF vulnerabilities where user actions are leveraged to perform unauthorized operations.
Contexto de Exploraçãotraduzindo…
CVE-2026-4527 was published on May 14, 2026. Its severity is rated as MEDIUM (CVSS 6.5). No public Proof-of-Concept (POC) exploits have been identified at the time of writing. There are no indications of active campaigns targeting this vulnerability. Monitor GitLab security advisories and CISA alerts for any updates regarding exploitation attempts.
Inteligência de Ameaças
Status do Exploit
CISA SSVC
Vetor CVSS
O que significam essas métricas?
- Attack Vector
- Rede — explorável remotamente pela internet. Sem acesso físico ou local necessário.
- Attack Complexity
- Baixa — sem condições especiais. O atacante pode explorar de forma confiável.
- Privileges Required
- Nenhum — sem autenticação necessária para explorar.
- User Interaction
- Necessária — a vítima deve abrir um arquivo, clicar em um link ou visitar uma página.
- Scope
- Inalterado — impacto limitado ao componente vulnerável.
- Confidentiality
- Alto — perda total de confidencialidade. O atacante pode ler todos os dados.
- Integrity
- Nenhum — sem impacto na integridade.
- Availability
- Nenhum — sem impacto na disponibilidade.
Software Afetado
Classificação de Fraqueza (CWE)
Linha do tempo
- Reservado
- Publicada
Mitigação e Soluções Alternativastraduzindo…
The primary mitigation for CVE-2026-4527 is to upgrade GitLab to version 18.11.3 or later. This version includes the necessary CSRF protection to prevent unauthorized Jira subscriptions. If immediate upgrading is not possible, consider implementing a Web Application Firewall (WAF) rule to block requests containing the vulnerable Jira subscription endpoint. Carefully review user permissions and access controls within GitLab to minimize the potential impact if the vulnerability is exploited before patching. There are no specific rollback steps beyond reverting to a previous, patched GitLab version.
Como corrigirtraduzindo…
Actualice GitLab a la versión 18.9.7 o posterior, 18.10.6 o posterior, o 18.11.3 o posterior para mitigar la vulnerabilidad CSRF. Esta actualización corrige la falta de protección CSRF que permitía la creación de suscripciones de Jira no autorizadas.
Perguntas frequentestraduzindo…
What is CVE-2026-4527 — CSRF in GitLab?
CVE-2026-4527 is a Cross-Site Request Forgery (CSRF) vulnerability in GitLab CE/EE allowing unauthenticated users to create unauthorized Jira subscriptions for a targeted user's namespace.
Am I affected by CVE-2026-4527 in GitLab?
You are affected if you are running GitLab CE or EE versions 11.10.0 through 18.11.3. Upgrade to version 18.11.3 or later to resolve the issue.
How do I fix CVE-2026-4527 in GitLab?
Upgrade GitLab to version 18.11.3 or later. As a temporary workaround, implement a WAF rule to block requests to the vulnerable Jira subscription endpoint.
Is CVE-2026-4527 being actively exploited?
There are currently no indications of active exploitation campaigns targeting CVE-2026-4527, but continuous monitoring is recommended.
Where can I find the official GitLab advisory for CVE-2026-4527?
Refer to the official GitLab security advisory for CVE-2026-4527 on the GitLab blog: [https://about.gitlab.com/security/advisories/](https://about.gitlab.com/security/advisories/)
Seu projeto está afetado?
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Experimente agora — sem conta
Faça upload de qualquer manifesto (composer.lock, package-lock.json, lista de plugins WordPress…) ou cole sua lista de componentes. Receba um relatório de vulnerabilidades instantaneamente. Fazer upload de um arquivo é só o começo: com uma conta, você obtém monitoramento contínuo, alertas por Slack/email, relatórios multiprojeto e white-label.
Arraste e solte seu arquivo de dependências
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...