Unrated severityNVD Advisory· Published Jan 12, 2023· Updated Apr 8, 2025

CVE-2022-4167

Description

Incorrect Authorization check affecting all versions of GitLab EE from 13.11 prior to 15.5.7, 15.6 prior to 15.6.4, and 15.7 prior to 15.7.2 allows group access tokens to continue working even after the group owner loses the ability to revoke them.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In GitLab EE, group access tokens remain active after the group owner's subscription expires, preventing revocation and posing a privilege escalation risk.

Vulnerability

An incorrect authorization check in GitLab EE affects all versions from 13.11 prior to 15.5.7, 15.6 prior to 15.6.4, and 15.7 prior to 15.7.2. The bug allows group access tokens to continue working even after the group owner loses the ability to revoke them due to a subscription or license change. Specifically, once a group’s paid subscription (Premium or Ultimate) ends, the tokens remain valid via the API, and the UI/API no longer offers a way to revoke them [1].

Exploitation

An attacker does not need prior authentication to exploit this vulnerability; they only need to obtain a valid group access token that was created while the group had a paid subscription. The token grants API access to group resources (e.g., private projects, issues, pipelines) indefinitely after the group’s plan reverts to Free. The group owner cannot revoke the token via the UI or API [1].

Impact

Successful exploitation results in unauthorized continued access to group resources. An attacker in possession of a leaked token can read, modify, or delete private data, exfiltrate information, and destroy group assets without the legitimate owner being able to revoke the access [1].

Mitigation

GitLab has released fixed versions: 15.5.7, 15.6.4, and 15.7.2. Group owners should upgrade immediately. As a workaround, group owners on paid plans should ensure they rotate tokens before subscription changes. GitLab.com users on affected versions cannot revoke tokens after a plan downgrade [1].

References

GitLab.com Group access tokens continue working after group loses ability to revoke them (#367740) · Issues · GitLab.org / GitLab · GitLab

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

GitLab Inc./CE/EEllm-fuzzy
Range: >=13.11, <15.5.7, >=15.6, <15.6.4, >=15.7, <15.7.2
osv-coords
pkg:bitnami/gitlab
Range: >= 13.11.0, < 15.5.7
GitLab Inc./GitLabv5
Range: >=13.11, <15.5.7

Patches

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing authorization check allows group access tokens to remain active after the group's paid subscription ends, even though the group owner can no longer revoke them."

Attack vector

An attacker who obtains a leaked group access token can continue using it indefinitely after the group's paid subscription expires [ref_id=1]. The token remains valid because GitLab does not deactivate tokens when a group downgrades from Premium/Ultimate to Free, and the group owner loses the ability to revoke the token via UI or API [ref_id=1]. This means a token created during a paid subscription continues providing privileged API access to all group resources even after the subscription ends [ref_id=1]. The attack requires the token to have been created while the group had a paid plan, and the attacker must obtain the token value (e.g., through accidental public exposure) [ref_id=1].

Affected code

The advisory does not specify particular functions or files. The bug is described as an "Incorrect Authorization check" affecting GitLab EE versions 13.11 through 15.5.7, 15.6 through 15.6.4, and 15.7 through 15.7.2. The issue is specific to GitLab.com (SaaS) because group access tokens are available in the Free tier for self-managed instances [ref_id=1].

What the fix does

The issue report describes two possible fixes: either group access tokens should stop working when a subscription expires until a new subscription is applied, or the ability to revoke existing tokens should remain available even after the subscription ends [ref_id=1]. No patch is included in the bundle, so the exact remediation is not shown. The advisory makes clear that the core problem is the missing authorization check that fails to tie token validity to the group's subscription status [ref_id=1].

Preconditions

configThe group must have had a paid Premium/Ultimate subscription at the time the group access token was created
configThe group's subscription must have subsequently expired or been downgraded to Free
inputThe attacker must obtain the group access token value (e.g., through accidental exposure)

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000