Unrated severityNVD Advisory· Published Jun 6, 2023· Updated Jan 7, 2025

CVE-2023-1621

Description

An issue has been discovered in GitLab EE affecting all versions starting from 12.0 before 15.10.5, all versions starting from 15.11 before 15.11.1. A malicious group member may continue to commit to projects even from a restricted IP address.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

GitLab EE fails to enforce IP address restrictions for git commits, allowing malicious group members to commit from blocked IPs.

Vulnerability

An IP address restriction bypass vulnerability exists in GitLab EE. Affected versions are all starting from 12.0 before 15.10.5, and all starting from 15.11 before 15.11.1 [1]. The issue allows a group member whose IP address is blocked by group-level IP restrictions to still commit to projects via the API [1].

Exploitation

An attacker must be a maintainer or higher role in the target group and have their IP address added to the restricted list by the owner [1]. The attacker can then send a crafted GraphQL mutation to the commitCreate endpoint, bypassing the IP check [1].

Impact

Successful exploitation allows the attacker to continue making commits to projects in the group despite their IP being banned, undermining the security policy intended to restrict access [1].

Mitigation

Upgrade to GitLab EE version 15.10.5, 15.11.1, or later [1]. No workaround is available.

References

Users on banned IP addresses can still commit to projects (#399774) · Issues · GitLab.org / GitLab · GitLab

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

GitLab Inc./CE/EEllm-fuzzy
Range: >=12.0 <15.10.5, >=15.11 <15.11.1
osv-coords
pkg:bitnami/gitlab
Range: >= 12.0.0, < 15.10.5
GitLab Inc./GitLabv5
Range: >=12.0, <15.10.5

Patches

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing IP address validation in the commitCreate GraphQL mutation allows users on restricted IP addresses to bypass group-level IP restrictions and commit to projects."

Attack vector

An attacker who is a group member (e.g., a maintainer) with an IP address that has been blocked by the group owner can still commit to projects by using the `commitCreate` GraphQL mutation directly via the API. The group owner configures IP restrictions under group settings, which block the user from accessing the project via the web UI (returning a 404). However, the attacker can craft a GraphQL mutation request with a valid session cookie and CSRF token, specifying the project path, branch, and file changes, and the commit is accepted without any IP address check [ref_id=1].

Affected code

The vulnerability affects the IP address restriction enforcement in GitLab EE. The issue is that the `commitCreate` GraphQL mutation does not check the caller's IP address against the group's "Restrict access by IP address" settings, allowing commits to bypass the restriction that is enforced for web UI and other API endpoints.

What the fix does

The advisory does not include a published patch diff. Based on the issue description, the fix would require adding IP address validation to the `commitCreate` GraphQL mutation endpoint, ensuring that the caller's IP is checked against the group's "Restrict access by IP address" settings before allowing the commit operation. The remediation should mirror the IP restriction enforcement already present in the web UI and other API endpoints.

Preconditions

authThe attacker must be a member (e.g., maintainer) of the target group/project.
configThe group owner must have configured IP address restrictions that block the attacker's IP address.
inputThe attacker must have a valid session cookie and CSRF token for the GitLab instance.
networkThe attacker must have network access to the GitLab API endpoint (e.g., gitlab.com).

Reproduction

1. As group owner, create a group and project, add a maintainer. Navigate to the group settings at `/groups/YOUR_GRP/-/edit#js-permissions-settings` and add the maintainer's IP address under "Restrict access by IP address". 2. As the maintainer, verify that accessing the project tree at `/GRP/PROJECT/-/tree/main` returns a 404. 3. As the maintainer, send a GraphQL mutation request to `POST /api/graphql` with a valid session cookie and CSRF token, using the following payload (adjusting projectPath, branch, and filePath as needed): ```json {"query":"mutation MyMutation { commitCreate(input: { projectPath: \"test645811/project-1\", branch: \"main\", message: \"This is a Commit\", actions: [{ action: UPDATE, filePath: \"README.md\", content: \"This is a test content\", encoding: TEXT }] }) { commit { author { name } } } }","variables":null,"operationName":"MyMutation"} ``` 4. Verify the commit is created successfully. As the owner, confirm the new commit appears in the project [ref_id=1].

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.002
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000