Unrated severityNVD Advisory· Published Jul 13, 2023· Updated Nov 5, 2024

Incorrect Authorization in GitLab

CVE-2023-3444

Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.3 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1, which allows an attacker to merge arbitrary code into protected branches.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

GitLab CE/EE allows attackers to bypass CODEOWNERS approval removal and merge arbitrary code into protected branches, affecting versions 15.3-15.11.10, 16.0-16.0.6, 16.1-16.1.1.

Vulnerability

An issue in GitLab CE/EE's merge request approval system, when CODEOWNERS are enabled and the setting "Remove approvals by Code Owners if their files changed" is checked, allows an attacker to push new code that modifies files owned by CODEOWNERS without removing the existing approval. This affects all versions starting from 15.3 before 15.11.10, all versions starting from 16.0 before 16.0.6, and all versions starting from 16.1 before 16.1.1. [1]

Exploitation

An attacker with Developer access to the repository can create a merge request with a safe change, obtain approval from a CODEOWNER, then push additional malicious changes to the same branch. The approval is not removed due to the bug, enabling the merge of arbitrary code into protected branches. [1]

Impact

Successful exploitation allows an attacker to merge arbitrary, unapproved code into protected branches, potentially compromising code integrity, CI/CD pipelines, and production environments. [1]

Mitigation

Upgrade to GitLab versions 15.11.10, 16.0.6, or 16.1.1 or later. No workaround is documented in the available reference. [1]

References

Bug with CODEOWNERS approval removal allows to merge arbitrary code into protected branches (#406803) · Issues · GitLab.org / GitLab · GitLab

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

GitLab Inc./CE/EEllm-fuzzy
Range: >=15.3, <15.11.10; >=16.0, <16.0.6; >=16.1, <16.1.1
osv-coords
pkg:bitnami/gitlab
Range: >= 15.3.0, < 15.11.10
GitLab Inc./GitLabv5
Range: 15.3

Patches

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing re-evaluation of CODEOWNERS approval after force-push allows previously approved but now-changed code to bypass approval removal."

Attack vector

An attacker with Developer permissions creates a merge request containing a benign change, obtains approval from a required CODEOWNER, then force-pushes amended malicious code (e.g., altering `.gitlab-ci.yml` or other production-critical files) to the same branch. Because the approval-removal check does not re-evaluate after the force-push, the existing CODEOWNER approval remains valid, allowing the attacker to merge arbitrary, unapproved code into a protected branch [ref_id=1].

Affected code

The vulnerability is in GitLab's merge request approval logic when CODEOWNERS are enabled and the "Remove approvals by Code Owners if their files changed" setting is active. The issue is tracked in the GitLab issue tracker [ref_id=1]. The exact file paths are not specified in the advisory, but the bug resides in the approval-removal mechanism that fails to detect force-pushed changes to files covered by CODEOWNERS.

What the fix does

The advisory does not include a published patch diff. The expected correct behavior, as stated in the issue, is that "new code related to CODEOWNERS is pushed, approvals from relevant CODEOWNERS [should be] removed" [ref_id=1]. The fix would need to ensure that any force-push or amendment that changes files covered by CODEOWNERS triggers re-evaluation and removal of prior approvals before the merge is allowed.

Preconditions

configCODEOWNERS must be enabled in the repository
configThe 'Remove approvals by Code Owners if their files changed' setting must be enabled
configCODEOWNER approval must be mandatory for the target protected branch
authAttacker must have Developer permissions on the repository
inputA CODEOWNER must have already approved the merge request

Reproduction

1. Create a GitLab repository and add two users: "repo_approver_user" (Developer) and "repo_attacker_user" (Developer). 2. Enable CODEOWNERS and the "Remove approvals by Code Owners if their files changed" setting in repository settings. 3. Push a CODEOWNERS file to the main branch with content `* repo_approver_user`. 4. Make CODEOWNERS approval mandatory for the protected main branch. 5. From "repo_attacker_user", create a new branch "feature_branch", make a safe change, push it, and create a merge request. 6. Have "repo_approver_user" approve the merge request. 7. Locally amend the commit to introduce arbitrary malicious code, then force-push (`git commit --amend && git push -f`). 8. Observe that the approval remains in place, and merge the malicious code into the protected main branch [ref_id=1].

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

hackerone.com/reports/1928709mitretechnical-descriptionexploit
gitlab.com/gitlab-org/gitlab/-/issues/406803mitreissue-tracking

News mentions

GitLab Security Release: 16.1.1, 16.0.6, and 15.11.10
GitLab Security Releases · Jun 29, 2023

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000