February 4, 2026 By Sergiu Gatlan
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered government agencies to patch their systems against a five-year-old GitLab vulnerability that is actively being exploited in attacks.
GitLab patched this server-side request forgery (SSRF) flaw (tracked as CVE-2021-39935) in December 2021, saying it could allow unauthenticated attackers with no privileges to access the CI Lint API, which is used to simulate pipelines and validate CI/CD configurations.
"When user registration is limited, external users that aren't developers shouldn't have access to the CI Lint API," the company said at the time.
"An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.5 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Unauthorized external users could perform Server Side Requests via the CI Lint API."