Unrated severityNVD Advisory· Published Mar 9, 2023· Updated Feb 28, 2025

CVE-2022-4331

Description

An issue has been discovered in GitLab EE affecting all versions starting from 15.1 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. If a group with SAML SSO enabled is transferred to a new namespace as a child group, it's possible previously removed malicious maintainer or owner of the child group can still gain access to the group via SSO or a SCIM token to perform actions on the group.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

GitLab EE SAML SSO settings become invisible after group transfer, letting removed malicious members regain access via SSO or SCIM token.

Vulnerability

An issue in GitLab EE affects all versions starting from 15.1 before 15.7.8, all versions starting from 15.8 before 15.8.4, and all versions starting from 15.9 before 15.9.2. When a group that has SAML SSO enabled is transferred to a new namespace as a child group, the SAML SSO configuration options become invisible in the UI, but the underlying SSO and SCIM token settings remain active. This allows a previously removed malicious maintainer or owner of the child group to continue using their SSO access or a leaked SCIM token to perform actions on the group [1].

Exploitation

An attacker who was a previous maintainer or owner of the group—and who was removed from the group after the transfer—can exploit the bug by simply initiating an SSO login to the group, because their existing SSO session or SCIM token remains valid. The new group owner cannot revoke the SSO access because the settings are invisible. Additionally, if a SCIM token was created before the transfer and is known to the attacker (e.g., leaked), it can be used to provision new users in the group with elevated permissions. The attack requires no special network position beyond the ability to initiate authentication to the GitLab instance [1].

Impact

Successful exploitation allows the attacker to regain access to the transferred group with the same privileges they had before removal (maintainer or owner). This leads to unauthorized access to group resources, possible data exfiltration, privilege escalation, and continued control over the group. Additionally, the SSO feature, which is normally a paid tier capability, can be used after the group is moved to a namespace on a free plan, enabling unauthorized use of a paid feature [1].

Mitigation

GitLab released fixed versions: 15.7.8, 15.8.4, and 15.9.2. Users should upgrade to these or later versions. If upgrading is not immediately possible, administrators can restrict group transfers or closely audit group ownership after transfers. No specific workaround for SSO or SCIM tokens is provided in the advisory. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of publication [1].

References

Transferred group to new owner / namespace - Allowing unauthorized SSO and SCIM token misused (#385050) · Issues · GitLab.org / GitLab · GitLab

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

GitLab Inc./CE/EEllm-fuzzy
Range: >=15.1, <15.7.8 || >=15.8, <15.8.4 || >=15.9, <15.9.2
osv-coords
pkg:bitnami/gitlab
Range: >= 15.1.0, < 15.7.8
GitLab Inc./GitLabv5
Range: >=15.1, <15.7.8

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000