The flaw was reported by the researcher last December to GitLab, followed by a temporary fix in...

Continue reading
GitLab, a programming code-share platform, reportedly patched the SSRF (server-side request forgery) flaw in its software library after getting identified by the security researcher.
According to the security researcher referred to as Vin01 the GitLab’s CI Lint API, a library associated with code handling and managing developer workflows, was found to be vulnerable.
SSRF is an infamous class of web security vulnerability that allows threat actors to exploit a vulnerable server to establish a connection to internal services of the infrastructure within an organization.
This discovery of the flaw was reported by the researcher last December to GitLab, followed by a temporary fix in February. Earlier this month, GitLab released a more detailed patch that allowed Vin01 to post a detailed technical report on the results.
Furthermore, the compromised CI Lint API is leveraged to authorize CI/CD YAML configuration GitLab cases. A flaw in the innovation, whenever left unaddressed, made methods for lowlifes to take delicate information, for example, passwords and cloud service credentials.
>“Installations which had a particular configuration in place to allow internal network requests from GitLab were vulnerable to server-side request forgery (SSRF), where an attacker could have sent a request to internal servers by jumping from the public-facing GitLab servers.
>“These internal servers are usually not exposed to the internet as they are only meant to be used internally and may contain sensitive information like passwords, API keys, cloud service credentials, which could have been stolen as a result of this vulnerability.”
The vulnerability is compounded by the fact that public GitLab servers are fairly common and do not require authentication to use them. These vulnerabilities have been identified as CVE-2021-22175 and CVE-2021-22214
>“In my research, I saw hundreds of vulnerable GitLab servers including but not limited to many open source projects, government departments and universities which use GitLab for hosting their code and integrate it with their infrastructure,” Vin01 further stated.
Besides, Vin01 has also executed a test by accumulating a small script just to check if a GitLab server remains to be vulnerable, available on GitHub.

Splunk disclosed CVE-2026-20253, a critical pre-auth RCE flaw in Splunk Enterprise (CVSS 9.8) from insecure MongoDB defaults. Patches released; upgrade to 9.1.8, 9.2.5, or 9.3.2.