CVE-2021-39919
Description
In all versions of GitLab CE/EE starting version 14.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, the reset password token and new user email token are accidentally logged which may lead to information disclosure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reset password and new user email tokens are accidentally logged in GitLab CE/EE versions 14.0 to 14.3.5, 14.4.0 to 14.4.3, and 14.5.0 to 14.5.1, leading to potential information disclosure.
Vulnerability
In GitLab CE/EE versions starting from 14.0 before 14.3.6, all versions from 14.4 before 14.4.4, and all versions from 14.5 before 14.5.2, the reset password token and new user email token are accidentally logged by ActiveJob when enqueuing mail delivery [1]. Specifically, the production log records the token as part of the :args parameter in ActionMailer::MailDeliveryJob log entries [1]. This affects the DeviseMailer#reset_password_instructions and Notify#new_user_email mailer actions [1]. No special configuration is required; the tokens are logged by default.
Exploitation
An attacker with read access to the GitLab Rails production log (e.g., via gitlab-ctl tail on an Omnibus instance, or access to centralized logging systems like Kibana on GitLab.com) can extract the exposed tokens [1]. The tokens appear in log entries such as: [ActiveJob] Enqueued ActionMailer::MailDeliveryJob ... with arguments: "Notify", "new_user_email", "deliver_now", {:args=>[2, "17uGGXB4g2DNrzqwf_To"]} or ... arguments: "DeviseMailer", "reset_password_instructions", "deliver_now", {:args=>[#<GlobalID:0x... @uri=#<URI::GID gid://gitlab/User/1234567>>, "mtofpQMP_ghqeyXZWF-r", {}]} [1]. The attacker does not require authenticated GitLab API access, only log access.
Impact
Successful exploitation leads to information disclosure of sensitive password reset and new user confirmation tokens. An attacker who obtains a reset password token can reset the victim user's password and gain unauthorized access to that account. Similarly, a new user email token can be used to confirm a new account without the intended user's knowledge. This compromises the confidentiality and integrity of user accounts, potentially leading to account takeover [1].
Mitigation
The issue is fixed in GitLab versions 14.3.6, 14.4.4, and 14.5.2 [1]. Users must upgrade to one of these patched releases or later. The fix suppresses the ActiveJob log messages that contained the tokens [1]. No workaround other than upgrading is available. The CVE is not listed in CISA's Known Exploited Vulnerabilities Catalog as of the publication date.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: >=14.0, <14.3.6 || >=14.4, <14.4.4 || >=14.5, <14.5.2
- Range: >=14.0, <14.3.6
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"ActiveJob argument logging exposes plaintext password reset tokens and new user email tokens to application logs."
Attack vector
An attacker who gains read access to GitLab's application logs (e.g., via `gitlab-ctl tail`, Kibana, or log aggregation systems) can extract the plaintext reset password token or new user email token from the logged ActiveJob arguments [ref_id=1]. The tokens are logged whenever a user triggers the password reset flow or an administrator creates a new user in the Admin UI. With a valid reset token, the attacker can change the victim's password and take over the account; with a new user email token, the attacker can complete user registration as that identity.
Affected code
The issue is in GitLab's ActiveJob logging, which records the arguments passed to mailer jobs. When `DeviseMailer#reset_password_instructions` or `Notify#new_user_email` are enqueued, the plaintext reset password token and new user email token (e.g., `"17uGGXB4g2DNrzqwf_To"` or `"mtofpQMP_ghqeyXZWF-r"`) are included in the job arguments and written to `production.log` and Sidekiq logs [ref_id=1].
What the fix does
The fix suppresses the ActiveJob log messages for these mailer jobs entirely, since the same information is already recorded by Sidekiq's own logging [ref_id=1]. By removing the redundant ActiveJob argument logging, the plaintext tokens are no longer written to `production.log` or forwarded to log aggregation systems. No patch diff is included in the bundle, but the referenced issue confirms that suppressing these messages is the intended remediation.
Preconditions
- authAttacker must have read access to GitLab application logs (e.g., production.log, Sidekiq logs, or a log aggregation system like Kibana).
- inputA user must initiate a password reset flow or an admin must create a new user via the Admin UI to trigger logging of the token.
Reproduction
1. As an authenticated user, navigate to the password reset page and submit a reset request for your account. 2. As an administrator, create a new user via the Admin UI. 3. Examine the application logs (e.g., `gitlab-ctl tail` on Omnibus, or Kibana on GitLab.com). 4. Observe that the plaintext reset token or new user email token appears in the ActiveJob log line, e.g., `"DeviseMailer", "reset_password_instructions", "deliver_now", {:args=>[..., "mtofpQMP_ghqeyXZWF-r", {}]}` [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39919.jsonmitrex_refsource_CONFIRM
- gitlab.com/gitlab-org/gitlab/-/issues/342445mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.