Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
GitLab Allows Attackers to Access Internal Network Through Webhooks
Known exploited
Exploitation likelihood: 74%
CVE-2021-22175
CVE-2021-22175
Summary
GitLab's internal network may be exposed to unauthorized access if webhooks are enabled, allowing hackers to make requests to internal systems. This could lead to sensitive data being stolen or compromised. To protect your network, ensure that webhooks are disabled or only allowed from trusted sources.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| gitlab | gitlab | All versions | – |
| gitlab | gitlab | > 10.5.0 , <= 13.6.7 | – |
| gitlab | gitlab | > 10.5.0 , <= 13.6.7 | – |
| gitlab | gitlab | > 13.7.0 , <= 13.7.7 | – |
| gitlab | gitlab | > 13.7.0 , <= 13.7.7 | – |
| gitlab | gitlab | > 13.8.0 , <= 13.8.4 | – |
| gitlab | gitlab | > 13.8.0 , <= 13.8.4 | – |
Original title
GitLab Server-Side Request Forgery (SSRF) Vulnerability
Original description
GitLab contains a server-side request forgery (SSRF) vulnerability when requests to the internal network for webhooks are enabled.
Vulnerability type
CWE-918
Server-Side Request Forgery (SSRF)
- https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22175.json Vendor Advisory
- https://gitlab.com/gitlab-org/gitlab/-/issues/294178 Exploit Issue Tracking Vendor Advisory
- https://hackerone.com/reports/1059596 Permissions Required Third Party Advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-... US Government Resource
Published: 18 Feb 2026 · Updated: 15 Mar 2026 · First seen: 6 Mar 2026