CVE-2026-12635
Received Received - Intake
Authenticated Request Forgery in GitLab CE/EE via Mirror Synchronization

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: GitLab Inc.

Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with maintainer-role permissions to make requests to internal network resources through mirror synchronization due to improper URL validation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-12635
EUVD
EUVD-2026-39168
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
gitlab gitlab_ce From 8.3 (inc) to 18.11.6 (exc)
gitlab gitlab_ee From 8.3 (inc) to 18.11.6 (exc)
gitlab gitlab_ce From 19.0 (inc) to 19.0.3 (exc)
gitlab gitlab_ee From 19.0 (inc) to 19.0.3 (exc)
gitlab gitlab_ce From 19.1 (inc) to 19.1.1 (exc)
gitlab gitlab_ee From 19.1 (inc) to 19.1.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-350 The product performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in GitLab CE/EE affects versions from 8.3 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1. It allows an authenticated user with maintainer-role permissions to make requests to internal network resources through mirror synchronization due to improper URL validation.

Impact Analysis

An authenticated maintainer could exploit this vulnerability to send requests to internal network resources that are normally inaccessible, potentially exposing internal services or data that should be protected.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade GitLab CE/EE to a fixed version. Specifically, update to at least version 18.11.6 if you are using any version from 8.3 before 18.11.6, version 19.0.3 if you are using 19.0 before 19.0.3, or version 19.1.1 if you are using 19.1 before 19.1.1.

This vulnerability affects authenticated users with maintainer-role permissions who could exploit improper URL validation to make requests to internal network resources through mirror synchronization. Ensuring your GitLab instance is updated will prevent this issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12635. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart