High

CSRF in GitLab GraphQL API

IdentifiersCVE-2026-4922CWE-352· Cross-Site Request Forgery (CSRF)

CVE-2026-4922 is a cross-site request forgery vulnerability in GitLab CE/EE affecting the GraphQL API, specifically the /api/graphql endpoint. According to the provided content, affected versions are all releases from 17.0 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1. The issue is caused by insufficient CSRF protection on GraphQL mutation requests: the endpoint accepted state-changing mutation operations using a victim’s valid session cookies without properly enforcing anti-forgery validation or origin checks. As a result, an unauthenticated attacker could induce an authenticated GitLab user to load a malicious page and thereby cause GraphQL mutations to execute under that user’s identity.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows unauthorized state-changing GraphQL operations to be performed with the victim user’s privileges. Based on the provided content, this can include modifying repository settings, altering project configuration, updating account details, or performing other writable GraphQL actions permitted to the authenticated victim. The provided CVSS information indicates high confidentiality and high integrity impact, with no direct availability impact. Confidentiality impact may also arise where mutation responses expose sensitive data to the attacker-controlled workflow.

Mitigation

If you can’t patch tonight, do this now.

No specific vendor-documented temporary workaround is provided in the supplied content. Until patching is completed, exposure can only be reduced operationally by minimizing opportunities for authenticated users to be induced to visit attacker-controlled content, restricting access paths where feasible, and monitoring for suspicious GraphQL mutation activity. Definitive mitigation is to apply the vendor patches.

Remediation

Patch, then assume compromise.

Upgrade GitLab CE/EE to a fixed release. The provided content states that GitLab remediated the issue in 18.9.6, 18.10.4, and 18.11.1. Self-managed installations running affected versions should be upgraded to the appropriate patched version. The patch strengthens request-origin verification and rejects mutation requests that do not satisfy anti-forgery validation. The content also notes that patch releases may include database migrations, which can cause downtime on single-node deployments; multi-node deployments can follow GitLab zero-downtime upgrade procedures.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

GitLabGitlabapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

11 SOURCESView more in app

cvefeed high severityNews

Apr 22, 2026

CVE-2026-4922 - Cross-Site Request Forgery (CSRF) in GitLab

A GitLab CE/EE vulnerability caused by insufficient CSRF protection that could allow an unauthenticated attacker to execute GraphQL mutations as authenticated users.

zeropath blogNews

Apr 22, 2026

GitLab GraphQL CSRF Vulnerability CVE-2026-4922: Brief Summary of a High Severity Mutation Hijacking Flaw - ZeroPath Blog | ZeroPath

A high-severity CSRF vulnerability in GitLab's GraphQL API (/api/graphql) that allows an authenticated user who visits a malicious web page to unknowingly execute GraphQL mutations against their GitLab instance using their session.

zeropath blogNews

Apr 22, 2026

Brief Summary: GitLab CE/EE CVE-2026-5262 XSS Token Exposure in Storybook Environment - ZeroPath Blog | ZeroPath

A high-severity CSRF vulnerability in GitLab's GraphQL API that could allow unauthenticated attackers to execute GraphQL mutations on behalf of authenticated users.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity7

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-4922

NVD

nvd.nist.gov/vuln/detail/CVE-2026-4922

MITRE CWE · CWE-352

Cross-Site Request Forgery (CSRF)

Vendor Advisory

about.gitlab.com/releases/2026/04/22/patch-release-gitlab-18-11-1-released

Permissions Required

hackerone.com/reports/3627285