CVE-2026-9204
MEDIUM 5.3GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user to read arbitrary files from the Gitaly server and access internal network resources during repository import, due to insufficient validation of secondary URLs.
NO EXPLOITATION SIGNALS
No known exploitation, public exploit, or elevated probability at this time. Track for changes.
Exploitation likelihood
0.2%chance of exploitation in 30 days · 16th percentile
○ In CISA KEV
○ Public exploit / PoC
Impact if exploited
5.3CVSS 3.1 · MEDIUM
- ConfidentialityHigh
- IntegrityNone
- AvailabilityNone
What an attacker needs
- ✓Access: Reachable over the network — no local access needed
- ⚠Privileges: Requires a low-privilege account
- ✓User interaction: No user interaction needed
- ⚠Complexity: Needs a race window or specific setup
✓ lowers the bar for an attacker · ⚠ raises it
Weakness (CWE)
- CWE-918: Server-side request forgery (SSRF)
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N