Main Vulnerability Database Vulnerabilities #VU134377

Server-Side Request Forgery (SSRF) in Gitlab Community Edition and GitLab Enterprise Edition - CVE-2026-9204

Published: June 11, 2026

Vulnerability identifier: #VU134377

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-9204

CWE-ID: CWE-918

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: GitLab, Inc

Affected software:
Gitlab Community Edition
GitLab Enterprise Edition

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to server-side request forgery in Gitaly repository import when validating secondary URLs during repository import. A remote user can supply crafted secondary URLs to disclose sensitive information.

The issue may allow reading arbitrary files from the Gitaly server and accessing internal network resources during repository import.

How to mitigate CVE-2026-9204

Install security update from vendor's website.

Sources

https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-0-2-released/

Server-Side Request Forgery (SSRF) in Gitlab Community Edition and GitLab Enterprise Edition - CVE-2026-9204

Detailed vulnerability description

How to mitigate CVE-2026-9204

Sources

Please verify you're human