18.8.7
18.9.3
18.10.1
CVE-2026-3857 is a Cross-Site Request Forgery (CSRF) vulnerability discovered in GitLab Community Edition (CE) and Enterprise Edition (EE). This flaw allows an unauthenticated attacker to execute arbitrary GraphQL mutations, potentially leading to unauthorized data modification or access. The vulnerability affects GitLab versions from 17.10 up to, but not including, 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1. A fix is available in version 18.10.1.
The impact of CVE-2026-3857 is significant due to the ability of an unauthenticated attacker to manipulate GitLab's GraphQL API. Attackers could leverage this to modify project settings, alter user permissions, create or delete projects, or even execute arbitrary code within the GitLab environment, depending on the permissions of the targeted authenticated user. Successful exploitation could result in data breaches, unauthorized access to sensitive information, and complete compromise of GitLab instances. The GraphQL API's flexibility makes it a powerful attack vector, allowing for a wide range of malicious actions. While the vulnerability requires an authenticated user to be present, the attacker does not need to authenticate themselves.
CVE-2026-3857 was published on March 25, 2026. Currently, there are no publicly known active campaigns exploiting this vulnerability. No evidence of exploitation on KEV or EPSS is available at this time. The CVSS score of 8.1 (HIGH) indicates a significant potential for exploitation if left unaddressed. Refer to the official GitLab security advisory for further details and context.
漏洞利用状态
EPSS
0.01% (1% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-3857 is to immediately upgrade GitLab to version 18.10.1 or later. If upgrading is not immediately feasible, consider implementing stricter CSRF protection measures at the web application firewall (WAF) level. Specifically, configure your WAF to enforce stricter token validation and origin checks for GraphQL requests. Additionally, review and restrict the permissions granted to users within GitLab to minimize the potential impact of a successful attack. After upgrading, confirm the fix by attempting to trigger a GraphQL mutation as an unauthenticated user; the request should be rejected with an authentication error.
将 GitLab 更新到 18.8.7、18.9.3 或 18.10.1 版本,或包含 CSRF 漏洞修复的更高版本。这将防止未认证用户代表认证用户执行任意 GraphQL 突变。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-3857 is a Cross-Site Request Forgery (CSRF) vulnerability in GitLab CE/EE allowing unauthenticated users to execute GraphQL mutations on behalf of authenticated users. It impacts versions 17.10–18.10.1 and has a CVSS score of 8.1 (HIGH).
You are affected if you are running GitLab CE or EE versions 17.10 through 18.10.1. Versions prior to 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 are vulnerable.
Upgrade GitLab to version 18.10.1 or later. As a temporary workaround, implement stricter CSRF protection at your WAF and restrict user permissions.
Currently, there are no publicly known active campaigns exploiting CVE-2026-3857. However, the HIGH severity score indicates a potential for exploitation if left unaddressed.
Refer to the official GitLab security advisory for CVE-2026-3857 on the GitLab security page: [https://gitlab.com/security/advisories/](https://gitlab.com/security/advisories/)
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。