The United States Agency for Infrastructure and Cybersecurity (CISA) has given an ultimatum: federal agencies must park their GitLab instances for a vulnerability that was corrected years ago but is now being actively exploited in real environments. This is a SSRF (Server-Side Request Forgery) type failure known as CVE-2021-39935, which GitLab originally solved in December 2021.
In that correction, GitLab explained that the problem affected the CI Lint API, the tool that allows to validate and simulate CI / CD pipelines, and that in certain settings - when user registration was limited - outside users without privileges could run requests from the server. The original technical notice is available in GitLab's safety note of December 2021: GitLab Security Release (06-12-2021) and the details of the EQO can be found in the NVD database: CVE-2021-39935 (NVD).
What has rekindled the alarms is that CISA has included this vulnerability in its catalogue of known and exploited vulnerabilities in the real world, and has imposed a time limit on federal civil agencies to implement patches: three weeks since the notification, with a deadline of 24 February 2026, in accordance with the binding operational directive BOD 22-01. The CISA message is clear: these failures remain a frequent gateway for malicious actors and require immediate attention. The inclusion in the CISA catalogue is available here: CISA - CVE-2021-39935 alert, and the public list of exploited vulnerabilities is in: Known Exploited Vulnerabilities Catalog. The directive which requires action can also be reviewed on the CISA website on BOD 22-01: Binding Operational Directive 22-01.
Beyond the federal framework, CISA has urged private companies and organizations to prioritize mediation, because exposure is real and quantifiable. The Shodan connected device search engine shows tens of thousands of instances with GitLab's publicly accessible footprint: more than 49,000 results and almost 27,000 response by default in port 443, according to Shodan public searches. GitLab search in Shodan and results in port 443.
It is easy to see why the priority is high: GitLab is a very widespread platform in the world of development. The company declares tens of millions of users and an important presence among large companies, so a vulnerability in its management area and CI / CD has potential for massive impact. More information about GitLab's presence in the sector is on its corporate site: About GitLab.
What should technical and security officials do? The first step is obvious and urgent: to update to the corrected versions of GitLab, following the manufacturer's own instructions. If the update is not immediate, apply official mitigation, restrict access to exposed APIs and minimize public exposure are temporary measures necessary. It is also appropriate to audit records, to rotate credentials that may have been compromised and to review firewall rules and access controls to prevent internal services from receiving forced requests from exposed components.
In practice this may involve disabling public access to CI Lint API if not strictly necessary, deploying white IP lists, forcing enhanced authentication on administrative panels and monitoring unusual traffic patterns and pipelines executions. If a team detects suspicious activity and cannot mitigate the failure, the responsible option is to temporarily stop using the affected instance to apply the correction or move to a safe alternative.
The emergence of effective exploits against a corrected defect years ago recalls a classic lesson in cybersecurity: the corrections are effective only if applied. A patched vulnerability remains dangerous as long as unupdated facilities exist. CISA's pressure on federal entities seeks to reduce this gap, but the responsibility also lies with system managers and external suppliers to keep their development and continuous delivery environments up to date.
Finally, it is appropriate to place this episode in a broader context: this same week, CISA has been issuing several warnings and ordering patches for other critical failures exploited in the field. For security equipment this means prioritizing patch management, identifying exposed assets and establishing processes that shorten the time between the publication of a patch and its effective deployment.
If you want to read the official sources cited in this article, here are the main links: GitLab's note on correction ( GitLab - Security Release), the registration of the EVC in the NVD ( NVD - CVE-2021-39935), the CISA alert that incorporates vulnerability to the catalogue ( CISA - alert (03-02-2026)), the public list of exploited vulnerabilities ( KEV Catalog) and a view of the Shodan exhibition ( Shodan - GitLab).
The final recommendation is simple: do not trust that an old patch is no longer relevant. If your organization runs GitLab, check versions and apply the corrections as soon as possible. Industry and government agencies are doing it; now it's up to the rest.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...
PinTheft the public explosion that could give you root on Arch Linux
A new public explosion has brought to the surface again the fragility of the Linux privilege model: the V12 Security team named the failure as PinTheft and published a concept t...