CVE-2026-9204: 
GitLab 취약성 분석 및 완화

CVE-2026-9204 is a Server-Side Request Forgery (SSRF) vulnerability in GitLab CE/EE that allows authenticated users to read arbitrary files from the Gitaly server and access internal network resources during repository import operations. It affects all versions from 18.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2. The vulnerability was published on June 11, 2026, and has been remediated by GitLab. It carries a CVSS v3.1 base score of 6.5 (Medium) per NVD, or 5.3 (Moderate) per the GitHub Advisory Database (GitHub Advisory, GitLab Patch Release).

The root cause is insufficient validation of secondary URLs during the repository import process (CWE-918: Server-Side Request Forgery). An authenticated attacker with low privileges can supply a crafted secondary URL during a repository import operation, causing the Gitaly server to fetch resources from unintended internal or external locations. This enables reading arbitrary files accessible to the Gitaly server process and probing internal network resources. Exploitation requires only low privileges and no user interaction, but certain unspecified conditions must be met (GitHub Advisory, GitLab Patch Release).

Successful exploitation results in a high confidentiality impact — an authenticated attacker can read arbitrary files from the Gitaly server (potentially including sensitive configuration files, credentials, or repository data) and access internal network resources that would otherwise be unreachable. There is no integrity or availability impact. The ability to probe internal network resources also introduces risk of lateral movement within the infrastructure hosting the GitLab instance (GitHub Advisory, GitLab Patch Release).

1. Authenticate: Obtain a valid GitLab account with at least low-level privileges on a vulnerable instance (versions 18.10.0–18.10.7, 18.11.0–18.11.4, or 19.0.0–19.0.1).
2. Initiate repository import: Navigate to the repository import functionality within GitLab CE/EE.
3. Craft malicious secondary URL: Supply a specially crafted secondary URL pointing to an internal resource (e.g., file:///etc/passwd, an internal metadata endpoint, or an internal network service) that bypasses GitLab's URL validation.
4. Trigger SSRF: Submit the import request; the Gitaly server processes the crafted URL and fetches the targeted internal resource.
5. Retrieve exfiltrated data: Observe the response or error output from the import operation to extract file contents or probe internal network services (GitHub Advisory).

• Logs: GitLab application logs showing repository import requests with unusual or internal URLs as secondary sources; Gitaly server logs showing unexpected outbound connections to internal IP ranges or file:// scheme requests.
• Network: Outbound connections from the Gitaly server to internal network segments (RFC 1918 addresses), cloud metadata endpoints (e.g., 169.254.169.254), or unexpected external hosts initiated during repository import operations.
• Application: Repeated failed or successful repository import attempts from a single authenticated user account, particularly targeting the import API endpoint with varied secondary URL parameters.

GitLab has released patched versions addressing this vulnerability: 18.10.8, 18.11.5, and 19.0.2. All users running affected versions (18.10.x before 18.10.8, 18.11.x before 18.11.5, or 19.0.x before 19.0.2) should upgrade immediately. As an additional defense-in-depth measure, implement network segmentation to restrict Gitaly server access to only trusted sources, and validate or block secondary URLs used during repository import at the network perimeter (GitLab Patch Release, GitHub Advisory).

Security news outlets including GBHackers and CyberPress covered the GitLab patch release, noting multiple vulnerabilities addressed in the June 2026 patch cycle. The vulnerability was also highlighted in broader coverage of GitLab's security posture. No notable individual researcher commentary or significant social media discussion specific to CVE-2026-9204 has been identified beyond standard vulnerability aggregator postings.