GitLab GraphQL CSRF Vulnerability (CVE-2026-3857)
CVE-2026-3857 describes a vulnerability in GitLab CE/EE versions 17.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1, where an unauthenticated user can execute arbitrary GraphQL mutations on behalf of authenticated users due to insufficient CSRF protection, potentially leading to data modification or privilege escalation.
GitLab has addressed a critical security flaw, identified as CVE-2026-3857, within its Community Edition (CE) and Enterprise Edition (EE). This vulnerability impacts GitLab instances running versions 17.10 up to, but not including, 18.8.7, versions 18.9 up to 18.9.3, and versions 18.10 up to 18.10.1. The core issue lies in insufficient Cross-Site Request Forgery (CSRF) protection when handling GraphQL mutations. An unauthenticated attacker could exploit this by crafting malicious web pages…
Detection coverage 2
Detect GitLab GraphQL CSRF Attempt via Referer
highDetects potential CSRF attacks against GitLab GraphQL endpoint based on Referer header anomalies. An attacker hosted page would trigger this.
Detect GitLab GraphQL CSRF via Missing Referer
mediumDetects potential CSRF attacks against GitLab GraphQL endpoint based on missing Referer header. Direct access or script-based requests would trigger this.
Detection queries are kept inside the platform. Get full rules →
Indicators of compromise
1