Unrated severityNVD Advisory· Published Jan 27, 2023· Updated Mar 27, 2025

CVE-2022-4255

Description

An info leak issue was identified in all versions of GitLab EE from 13.7 prior to 15.4.6, 15.5 prior to 15.5.5, and 15.6 prior to 15.6.1 which exposes user email id through webhook payload.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

GitLab EE 13.7–15.6.1 leaks hidden user email addresses in group webhook payloads via the member_added event.

Vulnerability

A private email address disclosure vulnerability exists in all versions of GitLab EE from 13.7.0 through 15.4.5, 15.5.0 through 15.5.4, and 15.6.0 through 15.6.0. The issue originates in the group-level webhook event introduced in GitLab EE 13.7 for premium users. When a user is added to a group, the member_added webhook event sends a payload containing the added user's primary email address, even when that email is configured as private (hidden). The official description [1] and the referenced GitLab issue [1] confirm that this leaks the hidden email through the webhook payload.

Exploitation

An attacker does not need any special network position beyond access to the webhook endpoint URL. The attacker must be able to intercept, read, or have access to the HTTP request that GitLab sends to the configured webhook URL when a new member is added to a group. This could be achieved if the webhook URL is controlled by or accessible to an attacker, or if the attacker can observe network traffic to that endpoint (e.g., via a compromised server). No authentication on the attacker's part is required beyond access to the webhook delivery path. The trigger is a legitimate administrative action in GitLab: adding a user to a group, which causes the webhook to fire automatically.

Impact

Successful exploitation allows an attacker to obtain the private (hidden) email address of the user who was added to the group. This information disclosure violates the user's privacy expectation, as the email was deliberately set to private in GitLab. The compromised email can be used for targeted phishing, spam, or to correlate the user's identity across services. The attacker gains no code execution or elevated privileges; the impact is confined to confidentiality loss of a user's hidden email.

Mitigation

GitLab released fixed versions on 2023-01-27: 15.4.6, 15.5.5, and 15.6.1. Users running GitLab EE 13.7 or later should upgrade to one of these patched versions immediately. No workarounds are documented in the available references [1].

References

Fix potential security issues in webhook payloads (#373819) · Issues · GitLab.org / GitLab · GitLab

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

GitLab Inc./CE/EEllm-fuzzy
Range: >=13.7, <15.4.6; >=15.5, <15.5.5; >=15.6, <15.6.1
osv-coords
pkg:bitnami/gitlab
Range: >= 13.7.0, < 15.4.6
GitLab Inc./GitLabv5
Range: >=13.7, <15.4.6

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000