CVE-2021-39944
Description
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. A permissions validation flaw allowed group members with a developer role to elevate their privilege to a maintainer on projects they import
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GitLab CE/EE versions prior to 14.3.6, 14.4.4, and 14.5.2 allow group members with developer role to elevate privileges to maintainer via project import.
Vulnerability
GitLab CE/EE versions starting from 11.0 before 14.3.6, all versions from 14.4 before 14.4.4, and all versions from 14.5 before 14.5.2 contain a permissions validation flaw. When a group member with a developer role imports a project, the access level specified in the exported project's project_members.ndjson file is not properly validated, allowing the user to escalate their privileges to maintainer on the imported project [1].
Exploitation
An attacker with a developer role in a GitLab group can exploit this by exporting a project they own, modifying the access_level field in the project_members.ndjson file from the default developer level (30) to maintainer (40), and then importing that project into the group where they only have developer access. Upon import, the attacker gains maintainer privileges on the newly imported project [1].
Impact
Successful exploitation allows the attacker to have maintainer-level access on the imported project, enabling them to add deploy tokens or SSH keys, modify project settings, and potentially maintain persistent access even after demoting themselves or leaving the group [1].
Mitigation
GitLab has released versions 14.3.6, 14.4.4, and 14.5.2 which fix this issue. Users are advised to upgrade to the latest available patched version. No workarounds are documented [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: >=11.0 <14.3.6, >=14.4 <14.4.4, >=14.5 <14.5.2
- Range: >=11.0, <14.3.6
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing validation of the access_level field during project import allows a group Developer to escalate to Maintainer privileges."
Attack vector
An attacker who is a group member with a Developer role can escalate their privilege to Maintainer on projects they import. The attacker first exports any project they own, then modifies the `access_level` field in the `project_members.ndjson` file within the export archive, changing the value to 40 (Maintainer). When the attacker imports that modified project into the group where they only have Developer access, the import process honors the tampered access level, granting the attacker Maintainer privileges on the imported project [ref_id=1].
Affected code
The vulnerability lies in the project import functionality. When a user imports a project via the GitLab export/import feature, the `project_members.ndjson` file within the export archive is processed without validating that the `access_level` field does not exceed the importing user's group role. The advisory does not specify exact file paths or function names beyond the import mechanism.
What the fix does
No patch diff is included in the bundle. The advisory indicates the issue was fixed in GitLab versions 14.3.6, 14.4.4, and 14.5.2. The expected remediation is that the import process should enforce that the importing user's role in the target group is the maximum role they can receive in the imported project, preventing a Developer from importing a project with Maintainer-level membership [ref_id=1].
Preconditions
- authAttacker must be a member of the target group with at least Developer role
- authAttacker must own or have access to a project they can export
- inputAttacker must be able to modify the project export archive (the project_members.ndjson file) before importing
Reproduction
1. Create two accounts (Account A and Account B). 2. With Account A, create a group and invite Account B with a max role of Developer. 3. With Account B, export any project they own. 4. Modify the `access_level` field in the `project_members.ndjson` file inside the export archive, changing it to 40 (Maintainer). 5. With Account B, import the modified project into the group where they have only Developer access. 6. Account B now has Maintainer access on the imported project [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39944.jsonmitrex_refsource_CONFIRM
- gitlab.com/gitlab-org/gitlab/-/issues/336531mitrex_refsource_MISC
- hackerone.com/reports/1256017mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.