CVE-2022-1417
Description
Improper access control in GitLab CE/EE affecting all versions starting from 8.12 before 14.8.6, all versions starting from 14.9 before 14.9.4, and all versions starting from 14.10 before 14.10.1 allows non-project members to access contents of Project Members-only Wikis via malicious CI jobs
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GitLab CE/EE fails to enforce project-member-only wiki access, letting non-members clone private wikis via CI job tokens.
Vulnerability
An improper access control vulnerability exists in GitLab Community Edition (CE) and Enterprise Edition (EE) affecting all versions starting from 8.12 before 14.8.6, all versions starting from 14.9 before 14.9.4, and all versions starting from 14.10 before 14.10.1 [1]. The flaw resides in the Wiki functionality, where the Only Project Members visibility setting is not properly enforced when access is attempted via a CI_JOB_TOKEN in CI pipelines [1]. This token, typically used to grant temporary scoped access during CI jobs, bypasses the member-only restriction, allowing unauthorized cloning and reading of the wiki repository [1].
Exploitation
An attacker must have the ability to create a CI pipeline in an arbitrary project (any user with permission to run CI jobs on a publicly accessible or attacker-controlled project can do this) [1]. The attacker then defines a .gitlab-ci.yml file containing a job that executes git clone http://gitlab-ci-token:$CI_JOB_TOKEN@gitlab.com/.wiki.git [1]. When the pipeline runs, the CI_JOB_TOKEN associated with that specific job provides sufficient credentials to clone the target project's wiki repository, regardless of the wiki's visibility setting [1]. The attacker can then read all wiki content by listing files and viewing pages such as home.md [1]. No additional privileges or user interaction from the target project's members is required beyond the initial pipeline execution.
Impact
Successful exploitation allows an attacker who is not a member of the target project to access all contents of a Project Members-only Wiki [1]. This results in unauthorized disclosure of potentially sensitive information stored in the wiki, such as internal documentation, credentials, or project secrets. The attacker gains read access at the same level as a legitimate project member, but only through the CI pipeline context, not via the GitLab web interface. The CIA impact is limited to confidentiality, as the attacker cannot modify or delete wiki content.
Mitigation
The vulnerability is fixed in GitLab versions 14.8.6, 14.9.4, and 14.10.1 [1]. Users running affected versions should upgrade immediately to the nearest patched release. No workaround is available for unpatched versions, as the CI_JOB_TOKEN permissions are integral to pipeline functionality. It is important to note that this issue is a re-introduction of a previously patched bug and should be treated as a high-priority fix. This CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog at the time of writing.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: >=8.12, <14.8.6 || >=14.9, <14.9.4 || >=14.10, <14.10.1
- Range: >=8.12, <14.8.6
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing authorization check for CI job token when accessing project wikis with "Only Project Members" visibility setting."
Attack vector
An attacker with the ability to create CI jobs in any project (including a public project they control) can craft a malicious `.gitlab-ci.yml` that uses `git clone http://gitlab-ci-token:$CI_JOB_TOKEN@gitlab.com/<target>/<project>.wiki.git` to clone a target project's wiki. The CI job token authenticates the request, but GitLab fails to enforce the "Only Project Members" wiki visibility restriction for these token-authenticated Git operations, allowing the attacker to read the private wiki contents [ref_id=1].
Affected code
The vulnerability lies in the GitLab backend handling of Git-over-HTTP requests for project wikis. The CI job token (`CI_JOB_TOKEN`) was not properly checked against the "Only Project Members" wiki visibility setting, allowing unauthorized Git operations on the wiki repository.
What the fix does
The advisory does not include a patch diff, but the issue was addressed in GitLab versions 14.8.6, 14.9.4, and 14.10.1. The fix ensures that when a CI job token is used to access a project wiki via Git protocol, the server properly checks the wiki visibility setting ("Only Project Members") and denies access if the token's owner is not a project member. This closes the bypass that existed because the CI_JOB_TOKEN was trusted for authentication but the authorization check for wiki visibility was incomplete [ref_id=1].
Preconditions
- authAttacker must be able to create a CI pipeline (e.g., in a public project they control)
- configTarget project must have wiki visibility set to 'Only Project Members'
- inputAttacker must know the target project's path (e.g., company/api)
Reproduction
1. Create a target project, set its **Wiki visibility** to **Only Project Members** in the project settings page. 2. As an attacker (non-member of the target project), create a `.gitlab-ci.yml` in an arbitrary project you control: ```yaml stages: - steal test: stage: steal script: - 'git clone http://gitlab-ci-token:$CI_JOB_TOKEN@gitlab.com/company/api.wiki.git' - 'cd api.wiki && cat api-doc.md' ``` 3. Run the pipeline; the wiki contents will be printed in the job output [ref_id=1].
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1417.jsonmitrex_refsource_CONFIRM
- gitlab.com/gitlab-org/gitlab/-/issues/297282mitrex_refsource_MISC
- hackerone.com/reports/1075586mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.