CVE-2020-13350
Description
CSRF in runner administration page in all versions of GitLab CE/EE allows an attacker who's able to target GitLab instance administrators to pause/resume runners. Affected versions are >=13.5.0, <13.5.2,>=13.4.0, <13.4.5,<13.3.9.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CSRF in GitLab runner administration page allows an attacker to pause or resume runners, affecting versions before 13.3.9, 13.4.5, and 13.5.2.
Vulnerability
A Cross-Site Request Forgery (CSRF) vulnerability exists in the runner administration page of GitLab Community Edition (CE) and Enterprise Edition (EE). The vulnerability allows an attacker to perform state-changing actions (pause/resume runners) without proper CSRF token validation. Affected versions are >=13.5.0 before 13.5.2, >=13.4.0 before 13.4.5, and versions prior to 13.3.9 [1].
Exploitation
An attacker must trick a GitLab instance administrator into visiting a malicious page or clicking a crafted link while authenticated. The attacker can craft requests to endpoints such as /admin/runners/:runner_id/pause or /admin/runners/:runner_id/resume to pause or resume specific runners [1]. No additional privileges or authentication are required beyond the administrator's session.
Impact
Successful exploitation allows the attacker to pause or resume runners on the GitLab instance. This can disrupt CI/CD pipelines, potentially delaying or preventing software builds, tests, and deployments. The impact is limited to runner availability; no data disclosure or code execution is reported.
Mitigation
GitLab has released patches in versions 13.3.9, 13.4.5, and 13.5.2 [1]. Administrators should upgrade to one of these fixed versions or later. No workaround is available for unpatched versions. The vulnerability is not known to be exploited in the wild as of the publication date.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3>=13.5.0, <13.5.2, >=13.4.0, <13.4.5, <13.3.9+ 1 more
- (no CPE)range: >=13.5.0, <13.5.2, >=13.4.0, <13.4.5, <13.3.9
- (no CPE)range: >=13.5.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13350.jsonmitrex_refsource_CONFIRM
- gitlab.com/gitlab-org/gitlab/-/issues/24416mitrex_refsource_MISC
- hackerone.com/reports/415238mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.