CVE-2022-1981
Description
An issue has been discovered in GitLab EE affecting all versions starting from 12.2 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1. In GitLab, if a group enables the setting to restrict access to users belonging to specific domains, that allow-list may be bypassed if a Maintainer uses the 'Invite a group' feature to invite a group that has members that don't comply with domain allow-list.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GitLab EE's domain allow-list for group membership can be bypassed by using the 'Invite a group' feature to invite groups with non-compliant members.
Vulnerability
An issue in GitLab EE versions 12.2 through 14.10.5, 15.0 through 15.0.4, and 15.1 through 15.1.1 allows bypassing the group's domain allow-list restriction via the 'Invite a group' feature. When a group restricts membership by email domain, a Maintainer can still invite another group, and the domain check is not applied to the invited group's members, allowing members with non-compliant domains to gain access.
Exploitation
An attacker with Maintainer role in a group that has domain restriction enabled can use the 'Invite a group' option to invite a group that contains users with email domains not in the allow-list. No additional authentication or privileges are required beyond the Maintainer role. The invited group's members are added without domain validation.
Impact
Successful exploitation allows an attacker to add unauthorized users to the group and its projects, bypassing the intended domain-based access control. This can lead to unauthorized access to sensitive group resources and potential data exposure.
Mitigation
The issue is fixed in GitLab EE versions 14.10.5, 15.0.4, and 15.1.1 [1]. Users should upgrade to these patched versions. There is no known workaround if the patch cannot be applied immediately.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: >=12.2, <14.10.5; >=15.0, <15.0.4; >=15.1, <15.1.1
- Range: >=12.2, <14.10.5
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing domain allow-list validation in the "Invite a Group" feature allows bypassing email domain restrictions."
Attack vector
An attacker who is a Maintainer of a project within a group that has domain allow-list restrictions can bypass those restrictions by using the "Invite a Group" feature [ref_id=1]. The attacker first creates their own group ("Attacker" group) containing members whose email domains do not match the victim group's allow-list. Then, from their Maintainer account, they use the "Invite a Group" option on the victim group's project to invite the Attacker group. Because the "Invite a Group" feature does not check the email domains of the invited group's members against the domain allow-list, all members of the Attacker group gain access to the victim group's project, bypassing the intended domain restriction [ref_id=1].
Affected code
The vulnerability lies in the "Invite a Group" feature within GitLab's group and project membership logic. When a group has configured domain allow-list restrictions (Restrict membership by email domain), the "Invite a Group" option does not validate the email domains of members belonging to the invited group [ref_id=1]. The issue affects GitLab EE versions 12.2 through 14.10.5, 15.0 through 15.0.4, and 15.1 through 15.1.1.
What the fix does
The advisory does not include a patch diff, but the expected fix is to enforce domain allow-list validation when the "Invite a Group" feature is used [ref_id=1]. The remediation should check that all members of the invited group have email domains matching the victim group's domain allow-list before allowing the invitation. GitLab addressed this issue in versions 14.10.5, 15.0.4, and 15.1.1, which contain the fix to properly restrict group invitations based on the domain allow-list configuration.
Preconditions
- configThe victim group must have the 'Restrict membership by email domain' setting configured with specific allowed domains
- authThe attacker must have Maintainer role on a project within the victim group
- inputThe attacker must have the ability to create their own group with members whose email domains are not in the victim group's allow-list
Reproduction
1. Create a group ("Victim"), go to Settings > General > Permissions and group features, and set "Restrict membership by email field" to allowed domains (e.g., "slack.com" and "test.com"). 2. Create a project in the Victim group and add a user with Maintainer role whose email matches the allowed domains. 3. Log in as that Maintainer ("Account2"). 4. Create a new group ("Attacker") and add members whose email domains are NOT in the Victim group's allow-list (e.g., "wearehackerone.com"). 5. From Account2, go to the Victim group's project, navigate to Project Information > Members > Invite a Group, and invite the Attacker group. 6. Observe that the Attacker group's members gain access to the project despite having disallowed email domains [ref_id=1].
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1981.jsonmitrex_refsource_CONFIRM
- gitlab.com/gitlab-org/gitlab/-/issues/354791mitrex_refsource_MISC
- hackerone.com/reports/1501733mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.