Unrated severityNVD Advisory· Published Jan 12, 2023· Updated Apr 9, 2025

CVE-2022-3870

Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.0 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. GitLab allows unauthenticated users to download user avatars using the victim's user ID, on private instances that restrict public level visibility.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

GitLab CE/EE allows unauthenticated attackers to download user avatars by user ID on private instances, leading to information disclosure.

Vulnerability

GitLab CE/EE versions starting from 10.0 before 15.5.7, all versions from 15.6 before 15.6.4, and all versions from 15.7 before 15.7.2 contain an Insecure Direct Object Reference (IDOR) vulnerability in the avatar download endpoint. The endpoint https://{company_domain}/uploads/-/system/user/avatar/{user_id}/avatar.png does not enforce authentication on private instances that restrict public level visibility, allowing unauthenticated access to user avatars [1].

Exploitation

An unauthenticated attacker can send a GET request to the vulnerable URL, replacing {user_id} with a valid user ID. No cookies or tokens are required. By iterating through user IDs (e.g., 1, 2, 3, ...), the attacker can download avatars of any user who has uploaded a profile picture. This can be done with tools like curl or a browser [1].

Impact

Successful exploitation allows the attacker to retrieve avatars of all users on the GitLab instance, including corporate photos or personal images. This constitutes information disclosure and a privacy violation, potentially exposing sensitive visual data. No other impact (e.g., code execution or data modification) is reported [1].

Mitigation

GitLab has released fixed versions: 15.5.7, 15.6.4, and 15.7.2. Users should upgrade to one of these versions or later. No workaround is documented; if an upgrade is not immediately possible, administrators may consider restricting access to the uploads directory via web server rules, though this is not officially recommended [1].

References

Users' avatar disclosure by user ID in enterprise and public GitLab instances (IDOR) (#381647) · Issues · GitLab.org / GitLab · GitLab

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

GitLab Inc./CE/EEllm-fuzzy
Range: >=10.0 <15.5.7, >=15.6 <15.6.4, >=15.7 <15.7.2
osv-coords
pkg:bitnami/gitlab
Range: >= 10.0.0, < 15.5.7
GitLab Inc./GitLabv5
Range: >=10.0, <15.5.7

Patches

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing authorization check on the user avatar endpoint allows unauthenticated access to avatars by user ID."

Attack vector

An unauthenticated attacker can enumerate user IDs (e.g., 1, 2, 3, ...) and send GET requests to `https://{company_domain}/uploads/-/system/user/avatar/{user_id}/avatar.png` [ref_id=1]. The server returns the avatar image if the user exists and has uploaded one, or a 404 if the user does not exist or has no avatar [ref_id=1]. This IDOR vulnerability allows attackers to download user avatars—potentially corporate photos—without any authorization, even on private GitLab instances that restrict public-level visibility [ref_id=1].

Affected code

The vulnerable endpoint is `/uploads/-/system/user/avatar/{user_id}/avatar.png`, which serves user avatars without requiring authentication [ref_id=1]. The issue affects GitLab CE/EE versions starting from 10.0 before 15.5.7, 15.6 before 15.6.4, and 15.7 before 15.7.2.

What the fix does

The advisory does not include a patch diff, but the fix is described as requiring that avatar access be restricted on private instances where public-level visibility is disabled [ref_id=1]. The expected correct behavior is that, at minimum in enterprise GitLab instances, an attacker must not be able to view users' private avatars without authorization [ref_id=1]. No patch code is provided in the bundle.

Preconditions

configThe target GitLab instance must be a private/enterprise instance that restricts public-level visibility (or a public instance, though the impact is lower)
inputThe attacker must know or be able to enumerate valid user IDs (e.g., 1, 2, 3, ...)
inputThe target user must have uploaded an avatar

Reproduction

1. Identify a user ID (e.g., from profile settings at `https://{company_domain}/-/profile` or by enumeration). 2. Send an unauthenticated GET request to `https://{company_domain}/uploads/-/system/user/avatar/{user_id}/avatar.png` using curl, a browser, or any HTTP tool. 3. Observe the avatar image in the response if the user exists and has an avatar; otherwise a 404 is returned [ref_id=1].

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000