GitLab Workhorse Security
GitLab Workhorse is a smart reverse proxy for GitLab positioned between NGINX and the Rails application[^c1]. It intercepts all HTTP traffic to and from Rails and handles resource-intensive operations such as file transfers, Git operations, and data streaming. All authentication and authorization decisions remain in the Rails application, and all requests to Rails pass through Workhorse[^c2].
Workhorse relies on a shared-secret JWT mechanism for internal authentication with Rails and other components such as [[gitaly]] and [[gitlab-shell]]. Rate limiting protects the Rails backend from overload, and a multipart middleware with allowed-path validation and JWT-signed upload metadata secures file upload processing.
The proxy has been the subject of numerous security vulnerabilities spanning multiple classes: parser differentials between Workhorse and Rails's middleware stack, HTTP request smuggling through inconsistent interpretation of requests, architectural weaknesses such as upload processing code executing before authentication checks, path traversal enabling JWT token leakage, and file upload resource exhaustion leading to denial of service. The most critical vulnerability, CVE-2021-22205, allowed unauthenticated remote code execution through ExifTool and was widely exploited in the wild.
In 2026, five new CVEs were disclosed that directly affect the gitlab-workhorse-ce package: CVE-2025-9222 (stored XSS via Markdown placeholders, CVSS 8.7[^c4]), CVE-2026-0958 (DoS via JSON validation middleware bypass, CVSS 7.5[^c6]), CVE-2026-1182 (confidential issue title disclosure, CVSS 4.3), CVE-2026-1184 (DoS via deserialization in file upload, EE only), and CVE-2026-1458 (DoS via malicious file upload resource exhaustion[^c5]). These demonstrate that Workhorse's file upload handling and request processing paths remain active attack surfaces. The May 2026 security release (versions 18.11.3, 18.10.6, 18.9.7) fixed 25 CVEs, none of which affected GitLab Workhorse[^c3], confirming that the proxy's attack surface remains concentrated in its specific responsibilities.