Unrated severityNVD Advisory· Published Aug 5, 2022· Updated Aug 3, 2024

CVE-2022-2303

Description

An issue has been discovered in GitLab CE/EE affecting all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. It may be possible for group members to bypass 2FA enforcement enabled at the group level by using Resource Owner Password Credentials grant to obtain an access token without using 2FA.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

GitLab CE/EE versions before 15.0.5, 15.1.4, and 15.2.1 allow group members to bypass 2FA enforcement using Resource Owner Password Credentials grant to obtain an access token.

Vulnerability

An issue in GitLab CE/EE affects all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, and all versions starting from 15.2 before 15.2.1. The vulnerability allows group members to bypass 2FA enforcement enabled at the group level by using the Resource Owner Password Credentials grant to obtain an access token without completing two-factor authentication.

Exploitation

An attacker with group membership credentials can bypass 2FA enforcement by sending a POST request to /oauth/token with grant_type=password, username, and password parameters to obtain an access token [1]. The token can then be used to access group resources via the API without having enabled 2FA [1].

Impact

Successful exploitation allows an attacker to bypass group-level 2FA enforcement and access group resources, including confidential information, using the obtained OAuth token with all scopes granted to the user [1]. The attacker can perform actions permitted by the token scopes, such as reading or writing group data.

Mitigation

GitLab has released fixed versions: 15.0.5, 15.1.4, and 15.2.1. Users should upgrade to these versions or later. No workaround is available; upgrading is the recommended remediation.

References

Enforced group MFA can be bypassed with OAuth token with all the scopes (#355028) · Issues · GitLab.org / GitLab · GitLab

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

GitLab Inc./CE/EEllm-fuzzy
Range: <15.0.5, >=15.1 <15.1.4, >=15.2 <15.2.1
osv-coords
pkg:bitnami/gitlab
Range: < 15.0.5
GitLab Inc./GitLabv5
Range: >=15.2, <15.2.1

Patches

No patches discovered yet.

Vulnerability mechanics

Root cause

"The OAuth token endpoint does not enforce group-level 2FA requirements when issuing tokens via the Resource Owner Password Credentials grant."

Attack vector

An attacker who is a member of a GitLab group that has "Require all users in this group to set up two-factor authentication" enabled can bypass that enforcement. The attacker uses the Resource Owner Password Credentials grant by sending a POST request to `/oauth/token` with their username and password, obtaining an OAuth access token without any 2FA challenge [ref_id=1]. This token can then be used to access group resources via the API, including reading group details and, depending on scopes, writing to repositories [ref_id=1]. The attack requires only valid group membership credentials and network access to the GitLab instance [ref_id=1].

Affected code

The vulnerability lies in the OAuth token endpoint (`/oauth/token`) which accepts Resource Owner Password Credentials (ROPC) grant without checking whether the user is subject to group-level 2FA enforcement. The issue is described in GitLab issue #355028 [ref_id=1].

What the fix does

No patch diff is included in the bundle. The advisory references a proposed solution in the issue comments [ref_id=1]. The fix would require the OAuth token endpoint to enforce group-level 2FA requirements before issuing tokens via the ROPC grant, ensuring that users subject to mandatory 2FA cannot obtain access tokens without completing two-factor authentication [ref_id=1].

Preconditions

authThe attacker must be a member of a GitLab group that has 2FA enforcement enabled
inputThe attacker must know the username and password of their GitLab account
networkThe GitLab instance must have the OAuth token endpoint accessible over the network

Reproduction

1. As User A, create a private group and invite User B as a developer. 2. Enable "Require all users in this group to set up two-factor authentication" under Settings → General → Permissions and group features, setting the grace period to 0 hours. 3. As User B (who has not set up 2FA), run: `echo 'grant_type=password&username=

Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2303.jsonmitrex_refsource_CONFIRM
gitlab.com/gitlab-org/gitlab/-/issues/355028mitrex_refsource_MISC
hackerone.com/reports/1498133mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000