https://feed.craftedsignal.io/tags/cve-2026-3857/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 26 Mar 2026 12:00:00 +0000https://feed.craftedsignal.io/briefs/2026-03-gitlab-csrf/Thu, 26 Mar 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-gitlab-csrf/CVE-2026-3857 describes a vulnerability in GitLab CE/EE versions 17.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1, where an unauthenticated user can execute arbitrary GraphQL mutations on behalf of authenticated users due to insufficient CSRF protection, potentially leading to data modification or privilege escalation.<p>GitLab has addressed a critical security flaw, identified as CVE-2026-3857, within its Community Edition (CE) and Enterprise Edition (EE). This vulnerability impacts GitLab instances running versions 17.10 up to, but not including, 18.8.7, versions 18.9 up to 18.9.3, and versions 18.10 up to 18.10.1. The core issue lies in insufficient Cross-Site Request Forgery (CSRF) protection when handling GraphQL mutations. An unauthenticated attacker could exploit this by crafting malicious web pages…</p> highadvisorygitlabcsrfcve-2026-3857graphql