Unrated severityNVD Advisory· Published Feb 21, 2024· Updated Nov 20, 2025

Incorrect Privilege Assignment in GitLab

CVE-2023-6477

Description

An issue has been discovered in GitLab EE affecting all versions starting from 16.5 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. When a user is assigned a custom role with admin_group_member permission, they may be able to make a group, other members or themselves Owners of that group, which may lead to privilege escalation.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In GitLab EE, users with a custom role having admin_group_member permission can escalate privileges to Owner by inviting a group they control.

Vulnerability

An issue in GitLab EE affects versions 16.5 to 16.7.6, 16.8 to 16.8.3, and 16.9 to 16.9.1. Users assigned a custom role with the admin_group_member permission (based on Guest) can exploit a bypass of CVE-2023-6396 to escalate privileges. The vulnerability allows a user to invite an external group where they are an Owner, thereby gaining Owner access to the target group [1].

Exploitation

An attacker needs a custom role with admin_group_member permission on a target group. The attacker creates a separate group where they are Owner. Then, using the "Invite group" feature on the target group, they invite their own group at the maximum membership role (Owner). This grants the attacker Owner privileges on the target group [1].

Impact

Successful exploitation results in privilege escalation from Guest (or the base role) to Owner of the target group. The attacker gains full control over the group, including the ability to manage members, projects, and settings [1].

Mitigation

GitLab has released fixed versions: 16.7.6, 16.8.3, and 16.9.1. Users should upgrade to these versions or later. No workaround is available; upgrading is the recommended mitigation [1].

References

User with "admin_group_members" can still invite other groups to gain owner access (CVE-2023-6396 bypass) (#433463) · Issues · GitLab.org / GitLab · GitLab

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

GitLab Inc./GitLabv5
cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Range: 16.5
GitLab Inc./CE/EEllm-fuzzy
Range: >=16.5 <16.7.6, >=16.8 <16.8.3, >=16.9 <16.9.1
osv-coords
pkg:bitnami/gitlab
Range: >= 16.5.0, < 16.7.6

Patches

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing role-level restriction on group-to-group invitations allows users with the admin_group_member permission to invite groups at a higher role than their own base role permits."

Attack vector

An attacker who has been assigned a custom role with `admin_group_member` permission (based on Guest) can escalate to Owner of the target group. The attacker first creates their own group where they are Owner. Then, using the "Invite group" feature on the target group, they invite their own group with the "Owner" role. Because the fix for CVE-2023-6396 only restricted inviting individual users at a higher role, the group invitation path was left unrestricted [ref_id=1]. The attacker can also change an existing group member's role to Owner directly. This results in privilege escalation from a low-privilege custom role to full group Owner.

Affected code

The vulnerability exists in the group membership invitation logic. When a user with a custom role that includes the `admin_group_member` permission (based on Guest) invites a group (rather than an individual user) to the target group, the system does not enforce the same role-level restriction that was applied to individual user invitations in the CVE-2023-6396 fix. The issue is tracked in GitLab issue #433463 [ref_id=1].

What the fix does

The advisory does not include a published patch diff, but the expected fix is described in the issue: custom roles should only be allowed to invite groups at a role level at or below their own maximum permitted role, mirroring the restriction already applied to individual user invitations [ref_id=1]. The fix was released in GitLab EE versions 16.7.6, 16.8.3, and 16.9.1. No patch diff is available in the bundle.

Preconditions

configThe target group must be public or internal (or otherwise allow group invitations/access requests)
authThe attacker must be assigned a custom role with the admin_group_member permission, based on Guest
inputThe attacker must have access to create their own group where they are Owner
networkThe attacker must be able to access the target group's member invitation page

Reproduction

1. As victim_user, create a private Ultimate group and a custom role based on Guest with `admin_group_member` checked. Invite attacker_user as that custom role. 2. As attacker_user, create a new group called `attacker_group`. 3. Navigate to the target group's member page, click "Invite group", search for `attacker_group`, select it, and set the role to `Owner`. Click invite. 4. Refresh the page — attacker_user is now Owner of the target group [ref_id=1].

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

hackerone.com/reports/2270898mitretechnical-descriptionexploitpermissions-required
gitlab.com/gitlab-org/gitlab/-/issues/433463mitreissue-tracking

News mentions

GitLab Security Release: 16.9.1, 16.8.3, 16.7.6
GitLab Security Releases · Feb 21, 2024

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000