What happened

CISA added CVE-2021-22175 (GitLab Server-Side Request Forgery) to the Known Exploited Vulnerabilities (KEV) catalog on 2026-02-18, signaling confirmed in-the-wild exploitation (date and status per KEV) (CISA KEV). The entry directs organizations to apply vendor mitigations, follow applicable BOD 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable (requirement per KEV) (CISA KEV). CISA set 2026-03-11 as the remediation due date for federal enterprises, aligning with KEV enforcement timelines (deadline per KEV) (CISA KEV).

The vulnerability is an SSRF in GitLab that is reachable when requests to the internal network for webhooks are enabled (vulnerability class and trigger per CVE record) (NVD CVE-2021-22175). MITRE’s record tracks the same identifier and vendor/product (CVE and vendor metadata) (MITRE CVE-2021-22175). NVD classifies it under CWE-918 (Server-Side Request Forgery), aligning it with a well-known SSRF weakness category (classification per NVD) (NVD CVE-2021-22175).

Why it matters

Inclusion in KEV means exploitation has been observed and remediation is mandatory for U.S. federal agencies under BOD 22-01 timelines (KEV policy signal) (CISA KEV). SSRF lets an attacker coerce a server to make HTTP(S) requests that the attacker chooses, often reaching internal services not normally exposed to the internet (impact described by CWE-918 context) (NVD CVE-2021-22175). For GitLab, the risk activates when internal-network webhook requests are permitted, turning the GitLab service into a network pivot if abused (trigger condition per CVE record) (NVD CVE-2021-22175).

CISA’s required action notice is explicit: apply vendor mitigations or discontinue use if unavailable, and follow BOD 22-01 guidance for cloud services (remediation directive per KEV) (CISA KEV). KEV does not flag known ransomware campaign use at this time, listing it as Unknown (threat-use field in KEV) (CISA KEV).

Technical detail

CVE-2021-22175 is a Server-Side Request Forgery flaw in GitLab (CWE-918 per NVD) that is exposed when GitLab is configured to allow webhook traffic to reach internal network addresses (CWE class and trigger per CVE record) (NVD CVE-2021-22175). In an SSRF, the attacker supplies a URL or target that the server then requests, potentially granting the attacker access to systems reachable by the server but not by the attacker directly (SSRF behavior per CWE-918 context) (NVD CVE-2021-22175). When internal-webhook requests are enabled, that request surface can include internal IP ranges or services behind perimeter controls (trigger condition per CVE record) (MITRE CVE-2021-22175).

CISA’s KEV inclusion confirms that real-world actors have leveraged this flaw, making it a priority for patching and configuration review (exploitation signal per KEV) (CISA KEV). NVD’s entry anchors the vulnerability’s metadata and classification for defenders mapping to CWE-918 and SSRF-focused controls (classification per NVD) (NVD CVE-2021-22175). MITRE maintains the canonical CVE record for coordination across tools and advisories (record authority per MITRE) (MITRE CVE-2021-22175).

Defense

• Execute the KEV-required action path: apply vendor mitigations immediately, follow BOD 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable (directive per KEV) (CISA KEV).
• Prioritize any GitLab instance configured to permit webhook requests to internal network destinations, since that is the exposed condition for this SSRF (trigger per CVE record) (NVD CVE-2021-22175).
• Treat SSRF as a lateral-movement enabler: review egress controls and visibility for server-initiated HTTP(S) to internal addresses from GitLab hosts (SSRF class per NVD) (NVD CVE-2021-22175).
• Validate that remediation is complete before the KEV due date (2026-03-11) for regulated environments to remain compliant (deadline per KEV) (CISA KEV).

Operationally, defenders should inventory all reachable GitLab services, confirm whether internal-network webhook requests are enabled, and lock down or remediate accordingly (trigger condition per CVE record) (MITRE CVE-2021-22175). Map detections to SSRF behavior—unexpected outbound requests initiated by GitLab to internal hosts—and triage any anomalies in change windows linked to webhook events (SSRF class per NVD) (NVD CVE-2021-22175).

Lyrie Verdict

KEV inclusion means active exploitation; SSRF via internal-network webhooks gives adversaries an automated foothold to probe internal surfaces using the victim service’s reach (exploitation and trigger per KEV/CVE) (CISA KEV). Lyrie treats this as a machine-speed problem: we continuously correlate webhook-driven server requests from GitLab processes with destination context to flag unauthorized internal targets and cut off the sequence before lateral movement materializes (SSRF class per NVD) (NVD CVE-2021-22175). That means autonomous detection on the first unexpected server-initiated call to an internal address—without waiting for human triage—aligned to CWE-918 behaviors and KEV urgency (classification and urgency per NVD/KEV) (MITRE CVE-2021-22175).