Unrated severityNVD Advisory· Published Nov 9, 2022· Updated May 1, 2025

CVE-2022-3706

Description

Improper authorization in GitLab CE/EE affecting all versions from 7.14 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows a user retrying a job in a downstream pipeline to take ownership of the retried jobs in the upstream pipeline even if the user doesn't have access to that project.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Improper authorization in GitLab CI/CD allows a user retrying a downstream job to take ownership of upstream jobs, bypassing project access controls.

Vulnerability

An improper authorization vulnerability exists in GitLab CE/EE affecting all versions from 7.14 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. The bug resides in the AfterRequeueJobService, specifically in the process_subsequent_jobs and reset_source_bridge methods [1]. When a user retries a job in a downstream pipeline, the service transfers ownership of any skipped jobs in the upstream pipeline to that user, regardless of whether the user has access to the upstream project. This occurs because the service reassigns ownership of skipped jobs in subsequent stages or those directly needed by the retried job, and also resets the source bridge, effectively taking control of the upstream pipeline's execution.

Exploitation

An attacker needs only the ability to retry a job in a downstream pipeline (i.e., CI permissions in the downstream project). By retrying a failed job in the downstream pipeline, the attacker triggers the ownership transfer of all skipped jobs in the upstream pipeline. The attacker does not require any access to the upstream project itself. The sequence is: the attacker identifies a downstream pipeline with a failed job, retries that job, and the system automatically reassigns ownership of upstream skipped jobs to the attacker, who can then control their execution [1].

Impact

Successful exploitation allows the attacker to take ownership of and execute jobs in the upstream pipeline, even without any permissions on the upstream project. This can lead to unauthorized execution of CI jobs, potentially resulting in privilege escalation, information disclosure, or remote code execution depending on the CI configuration and the privileges of the upstream pipeline's runner. The attacker gains the ability to run arbitrary CI jobs in the upstream project, bypassing access controls [1].

Mitigation

GitLab has released fixed versions: 15.3.5, 15.4.4, and 15.5.2. Users should upgrade to these versions or later. No workarounds are documented. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].

References

Upstream pipeline execution can be controlled by users with CI permissions in a downstream project (#365532) · Issues · GitLab.org / GitLab · GitLab

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

GitLab Inc./CE/EEllm-fuzzy
Range: >= 7.14, < 15.3.5 || >= 15.4, < 15.4.4 || >= 15.5, < 15.5.2
osv-coords
pkg:bitnami/gitlab
Range: >= 7.14.0, < 15.3.5
GitLab Inc./GitLabv5
Range: >=7.14, <15.3.5

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000