Unrated severityNVD Advisory· Published Oct 2, 2023· Updated Apr 7, 2026

Incorrect Authorization in GitLab

CVE-2023-5106

Description

An issue has been discovered in Ultimate-licensed GitLab EE affecting all versions starting 13.12 prior to 16.2.8, 16.3.0 prior to 16.3.5, and 16.4.0 prior to 16.4.1 that could allow an attacker to impersonate users in CI pipelines through direct transfer group imports.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

GitLab EE allows user impersonation in CI pipelines via direct transfer group imports, affecting versions 13.12 to 16.4.1.

Vulnerability

The vulnerability resides in GitLab EE's direct transfer group import functionality. When importing a group, CI pipeline data is transferred without proper validation of user associations, allowing an attacker to impersonate other users in the pipeline context. Affected versions are 13.12 through 16.2.8, 16.3.0 through 16.3.5, and 16.4.0 through 16.4.1. [1]

Exploitation

An attacker needs the ability to perform a direct transfer group import, which typically requires at least the Maintainer role on the source group. The attacker can craft a malicious export that includes pipeline data with forged user associations. Upon import, the pipeline jobs will appear to be run by the impersonated user. [1]

Impact

Successful exploitation allows the attacker to impersonate any user in CI pipelines, potentially leading to unauthorized actions, privilege escalation, or misleading audit trails. The attacker gains the ability to execute pipelines under another user's identity. [1]

Mitigation

Fixed in GitLab EE versions 16.2.8, 16.3.5, and 16.4.1. Users should upgrade to these versions or later. No workaround is mentioned in the available references. [1]

References

Merge branch 'jy-import-runner-security' into 'master' (67039cfc) · Commits · GitLab.org / GitLab · GitLab

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

GitLab Inc./GitLabv5
cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Range: 13.12
GitLab Inc./CE/EEllm-fuzzy
Range: >=13.12, <16.2.8, >=16.3.0, <16.3.5, >=16.4.0, <16.4.1
osv-coords
pkg:bitnami/gitlab
Range: >= 13.12.0, < 16.2.8

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

gitlab.com/gitlab-org/security/gitlab/-/issues/980mitrepermissions-required
gitlab.com/gitlab-org/gitlab/-/commit/67039cfcae80b8fc0496f79be88714873cd169b3mitre

News mentions

GitLab Security Release: 16.4.1, 16.3.5, and 16.2.8
GitLab Security Releases · Sep 28, 2023

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000