CVE-2021-39904 in Community Editioninfo

Summary

by MITRE • 11/05/2021

An Improper Access Control vulnerability in the GraphQL API in all versions of GitLab CE/EE starting from 13.1 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 allows a Merge Request creator to resolve discussions and apply suggestions after a project owner has locked the Merge Request

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 06/12/2026

The vulnerability identified as CVE-2021-39904 represents a critical improper access control flaw within GitLab's GraphQL API implementation. This weakness exists in both Community Edition and Enterprise Edition versions starting from 13.1, creating a significant security gap that undermines the intended access controls for merge request management. The vulnerability specifically targets the authorization mechanisms that should prevent unauthorized modifications to merge requests after project owners have implemented protective measures through locking functionality.

The technical flaw manifests when a merge request creator retains the ability to perform actions such as resolving discussions and applying suggestions even after the project owner has locked the merge request. This behavior violates fundamental security principles by allowing privilege escalation through improper access control enforcement. The GraphQL API endpoint fails to properly validate whether the requesting user possesses the necessary permissions to modify locked merge requests, creating an unexpected access path that bypasses the intended locking mechanism designed to prevent further modifications.

From an operational impact perspective, this vulnerability enables malicious actors or unauthorized users to circumvent project governance controls that are essential for maintaining code quality and security standards. When project owners lock merge requests to prevent further changes, they expect those restrictions to be enforced completely. However, the flaw allows the merge request creator to continue making modifications that could introduce security vulnerabilities, backdoors, or other undesirable changes to the codebase. This capability undermines the integrity of the code review process and can result in unauthorized code modifications that bypass established security controls.

The vulnerability aligns with CWE-285, which describes improper authorization issues in software systems, and maps to ATT&CK technique T1078.004 for valid accounts and T1566.001 for spearphishing attachments, as it enables unauthorized access to privileged functionality through legitimate user accounts. Organizations using GitLab versions affected by this vulnerability face increased risk of code tampering, potential security breaches, and violation of security policies that rely on merge request locking mechanisms for access control enforcement. The flaw particularly impacts development workflows where project owners implement locking as a security measure to prevent unauthorized modifications during code review processes.

Mitigation strategies should include immediate upgrade to GitLab versions that have addressed this vulnerability through proper access control enforcement. Organizations should also implement additional monitoring of GraphQL API calls related to merge request modifications and ensure that access control policies are consistently enforced across all API endpoints. Security teams should conduct thorough audits of existing merge request locking mechanisms and verify that proper authorization checks are implemented for all user interactions with locked merge requests. Regular security assessments of API endpoints and access control implementations should be performed to identify similar vulnerabilities that could compromise system integrity and security posture.

Responsible

GitLab Inc.

Reservation

08/23/2021

Disclosure

11/05/2021

Moderation

accepted

CPE

ready

EPSS

0.00815

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!