The Cybersecurity and Infrastructure Security Agency (CISA) has warned that a five-year-old GitLab vulnerability is now being actively exploited and has ordered U.S. federal agencies to patch affected systems immediately.
The flaw, tracked as CVE-2021-39935, is a server-side request forgery (SSRF) vulnerability in GitLab. Although GitLab fixed the issue in December 2021, CISA says attackers are now abusing it in real-world attacks. The bug allows unauthenticated attackers to access the CI Lint API, enabling them to make unauthorized server-side requests.
CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and ordered all Federal Civilian Executive Branch (FCEB) agencies to apply patches by February 24, 2026, under Binding Operational Directive 22-01. While the directive applies only to federal agencies, CISA strongly urged private organizations to take immediate action as well.
Security scans show the risk is widespread. According to Shodan data, over 49,000 GitLab instances are currently exposed online, with many located in China, and nearly 27,000 systems running on the default HTTPS port (443).
GitLab, which has more than 30 million registered users and is used by over half of Fortune 100 companies, including Nvidia, Airbus, Goldman Sachs, and Lockheed Martin, has advised users to update to patched versions or apply mitigations where upgrades are not possible.
CISA warned that SSRF vulnerabilities remain a common entry point for cyber attackers and can pose serious risks to both government and enterprise environments. The alert follows another recent CISA warning about an actively exploited SolarWinds Web Help Desk vulnerability, underscoring growing concerns over unpatched legacy flaws being weaponized.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
