top of page
  • Clipeus

GitLab Zero-Click Vulnerability

On 12 January 2024, GitLab released emergency patches for two critical vulnerabilities, namely:

CVE-2023-7028 (CVSS 10) enables a potential unauthenticated attacker to send a password request to a random and unverified email address. The vulnerability can be triggered without user interaction which makes it particularly concerning. This security issue should be treated with the highest level of priority by all organizations. There is a significant risk exposure to account hijacking particularly for organizations that use GitLab to host sensitive data including API keys and proprietary code. Impacted versions include: 6.1 prior to116.1.5, 16.2 prior to 16.2.8, 16.3 prior to 16.3.6, 16.4 prior to 16.4.4, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, 16.7 prior to 16.7.2. GitLab recommends to upgrade vulnerable versions and to implement multi-factor authentication, especially on privileged accounts.

CVE-2023-5356 (CVSS 9.6) enables a potential attacker to abuse Slack/Mattermost integrations to execute slash commands as another user due to an incorrect authorization check. Impacted versions include all versions starting from 8.13 before 16.5.6, all versions starting from 16.6 before 16.6.4, all versions starting from 16.7 before 16.7.2.


Commenting has been turned off.

If you are interested in specifics or additional insights on the threats above or any other threat, please visit our dedicated service page or reach out to with your inquiry. We would be glad to assist you

bottom of page