CVE-2022-2498
Description
An issue in pipeline subscriptions in GitLab EE affecting all versions from 12.8 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1 triggered new pipelines with the person who created the tag as the pipeline creator instead of the subscription's author.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Pipeline subscriptions in GitLab EE incorrectly set pipeline creator to tag creator, enabling attackers to escalate privileges and access private projects via CI_JOB_TOKEN.
Vulnerability
In GitLab EE, pipeline subscriptions allow triggering pipelines in one project when another project's pipeline succeeds for new tags. Affecting all versions from 12.8 before 15.0.5, 15.1 before 15.1.4, and 15.2 before 15.2.1, the subscription incorrectly sets the pipeline creator to the person who created the tag, rather than the subscription's author. This allows an attacker who has (or had) developer access to an upstream project to set up a subscription to their own project, and when a tag is created by any user (including the owner), the resulting pipeline in the attacker's project runs under the tag creator's identity. [1]
Exploitation
An attacker with at least developer access to an upstream project can add that project as a pipeline subscription in their own project. Even if the attacker's access is later removed, the subscription persists silently. When the upstream project owner or any member creates a tag, a pipeline is triggered in the attacker's project. The attacker can define a .gitlab-ci.yml that uses the $CI_JOB_TOKEN to access private repositories accessible to the tag creator. The attacker does not need the tag creator's interaction; the process is transparent to the victim. [1]
Impact
Successful exploitation allows the attacker to gain access to private projects and data of the tag creator (e.g., project owner). Using the CI job token, the attacker can clone repositories, access variables, and perform actions with the victim's privileges within the scope of the CI job. This leads to unauthorized information disclosure and potential compromise of sensitive data. [1]
Mitigation
GitLab has fixed this issue in versions 15.0.5, 15.1.4, and 15.2.1. Users should upgrade to these or later versions. No workaround is available. The vulnerability is not listed in CISA KEV. [1]
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: >=12.8, <15.0.5; >=15.1, <15.1.4; >=15.2, <15.2.1
- Range: >=12.8, <15.0.5
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The downstream pipeline subscription service uses the upstream pipeline user (tag creator) as the pipeline creator instead of the subscription's author, causing CI job tokens to run with the victim's permissions."
Attack vector
An attacker with developer access to an upstream project adds that project to their own project's pipeline subscription. The attacker then adds the upstream project owner (victim) as a member of the attacker's project. When the victim creates a tag in the upstream project, a downstream pipeline triggers in the attacker's project using the victim's CI job token permissions. The attacker's `.gitlab-ci.yml` can then clone private repositories belonging to the victim using `$CI_JOB_TOKEN`, exfiltrating private data without the victim's knowledge [ref_id=1].
Affected code
The vulnerability is in the pipeline subscription trigger logic, specifically in `ee/app/services/ci/trigger_downstream_subscription_service.rb`. When a downstream pipeline is triggered from a subscription, the service used the upstream pipeline user (the tag creator) as the pipeline creator instead of the subscription's author [ref_id=1].
What the fix does
The proposed fix is to stop using the upstream pipeline user when triggering a downstream subscription pipeline and instead use the author of the subscription. This requires tracking the subscription author in a new `ci_subscriptions_projects.author_id` column. When triggering the downstream pipeline, the code should use `subscription.author || downstream_project.creator`. This mitigates the attack because the CI job token would then run with the attacker's permissions rather than the victim's, preventing access to private repositories the attacker is not authorized to view [ref_id=1].
Preconditions
- authAttacker must have developer (or higher) access to the upstream project to add it as a pipeline subscription
- configAttacker must create a personal project and configure a pipeline subscription pointing to the upstream project
- authAttacker must add the upstream project owner (victim) as a member of the attacker's project with sufficient permissions
- inputVictim must create a tag in the upstream project, triggering the pipeline chain
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2498.jsonmitrex_refsource_CONFIRM
- gitlab.com/gitlab-org/gitlab/-/issues/243703mitrex_refsource_MISC
- hackerone.com/reports/966824mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.