CISA Sounds Alarm as Five-Year-Old GitLab Flaw Still Exploited in Active Attacks

In a stark cybersecurity warning, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has mandated that federal agencies urgently patch a five-year-old vulnerability in GitLab — a flaw that continues to be weaponized by threat actors in real-world attacks.

The vulnerability in question, tracked as CVE-2021-39935, is a Server-Side Request Forgery (SSRF) flaw that was originally patched by GitLab in December 2021. At the time, the company classified it as a critical security issue, warning that it could allow unauthenticated attackers with no privileges to access the CI Lint API — a tool used to simulate pipelines and validate CI/CD configurations.

The Flaw That Keeps on Giving

GitLab’s advisory explained the issue clearly: “When user registration is limited, external users that aren’t developers shouldn’t have access to the CI Lint API.” Yet, due to misconfigurations or delayed patching, many organizations still remain exposed.

This SSRF vulnerability essentially allows attackers to trick GitLab servers into making requests to internal or external resources on their behalf. In the hands of a skilled adversary, this could lead to sensitive data exposure, lateral movement within a network, or even full system compromise.

Federal Mandate: Patch or Else

On February 3, 2026, CISA added CVE-2021-39935 to its Known Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Executive Branch (FCEB) agencies to patch their systems by February 24, 2026 — a tight three-week deadline mandated under Binding Operational Directive (BOD) 22-01.

While BOD 22-01 applies only to federal entities, CISA’s message to the private sector is crystal clear: treat this vulnerability as a top-tier threat and remediate immediately. In CISA’s own words: “These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.”

The Scale of Exposure

According to Shodan, over 49,000 GitLab instances are currently exposed online. Alarmingly, the majority of these are hosted in China, with nearly 27,000 running on the default HTTPS port (443). This widespread exposure creates a massive attack surface for cybercriminals.

GitLab, for its part, is no niche tool. The company claims its DevSecOps platform is used by more than 30 million registered users and over 50% of Fortune 100 companies — including heavyweights like Nvidia, Airbus, Goldman Sachs, T-Mobile, and Lockheed Martin.

Part of a Broader Attack Trend

This isn’t an isolated incident. In the same alert cycle, CISA also flagged a critical SolarWinds Web Help Desk vulnerability being actively exploited, giving federal agencies just three days to patch. The dual warnings underscore a growing trend: older, well-documented vulnerabilities remain prime targets for attackers who bank on slow patch cycles and operational inertia.

What Should Organizations Do?

CISA recommends the following immediate actions:

• Apply vendor-provided patches without delay.
• Follow BOD 22-01 guidance for cloud services.
• Discontinue use of affected products if patches are unavailable.
• Monitor logs for unusual CI/CD activity or SSRF-like behavior.
• Restrict access to the CI Lint API to only trusted users.

For organizations running GitLab, ensuring you’re on a version later than 14.5.2 (or the equivalent patch for your version) is critical.

Final Thoughts: The Patch Gap Is the New Battlefield

The fact that a five-year-old vulnerability is still actively exploited should serve as a wake-up call. In today’s threat landscape, speed of patching is just as important as the quality of your defenses. Attackers don’t need zero-days when they can succeed with years-old flaws left unpatched.

With GitLab’s ubiquity in enterprise DevOps pipelines, the stakes couldn’t be higher. The message from CISA is loud and clear: patch now, or risk becoming the next headline.

Tags: GitLab, CVE-2021-39935, CISA, SSRF, cybersecurity, vulnerability, patch now, federal mandate, cyber attack, DevSecOps, CI/CD, known exploited vulnerability, BOD 22-01, Shodan, threat actors, zero trust, IT security, hacking, data breach, exploit, federal agencies, urgent patch, cyber defense

Viral Phrases: “Patch now or pay later,” “Five-year-old flaw still wreaking havoc,” “CISA drops the hammer on GitLab vulnerability,” “The patch gap is the new battlefield,” “Attackers love old bugs — don’t give them the chance,” “GitLab under fire: feds demand immediate action,” “Your DevOps pipeline could be the next target,” “SSRF: The silent killer in your CI/CD,” “Fortune 100 at risk — is your org next?”

,