Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
CVE-2024-1211: GitLab: Cross-site request forgery possible on JWT configured instances
CVE-2024-1211
Summary
GitLab versions 10.6 to 16.9.7, 16.10.0 to 16.10.4, and 16.11.0 to 16.11.1 may allow an attacker to trick users into performing unintended actions. If your GitLab instance uses JWT as an authentication method, update to a fixed version to prevent potential security risks. We recommend checking the official GitLab website for the latest updates and instructions for applying the fix.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions |
|---|---|---|
| gitlab | gitlab |
>= 10.6.0, < 16.9.7 >= 16.10.0, < 16.10.5 >= 16.11.0, < 16.11.2 cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:* |
Original title
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.6 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2 in which cross...
Original description
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.6 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2 in which cross-site request forgery may have been possible on GitLab instances configured to use JWT as an OmniAuth provider.
nvd CVSS3.1
8.8
Vulnerability type
CWE-352
Cross-Site Request Forgery (CSRF)
- https://gitlab.com/gitlab-org/gitlab/-/issues/440313 Broken Link
- https://hackerone.com/reports/2323594 Permissions Required
Published: 31 Jan 2025 · Updated: 15 Jun 2026 · First seen: 7 Mar 2026