Authentication Bypass Using an Alternate Path or Channel in GitLab
Description
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.1 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. Under some specialized conditions, an LDAP user may be able to reset their password using their verified secondary email address and sign-in using direct authentication with the reset password, bypassing LDAP.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
LDAP users in GitLab can bypass LDAP authentication by resetting their password via a verified secondary email, due to insufficient checks.
Vulnerability
In GitLab CE/EE versions 16.1 through 16.7.6, 16.8 through 16.8.3, and 16.9 through 16.9.1, the password reset flow fails to check whether a user is an LDAP user when a secondary email is used. Normally, LDAP users are prevented from using password authentication, but the check User#allow_password_authentication? is only applied before sending the reset email for primary email. For secondary emails, only the global password_authentication_enabled_for_web? setting is checked, allowing a reset email to be sent to an LDAP user with a confirmed secondary email. [1]
Exploitation
An attacker who is an LDAP user with a confirmed secondary email can initiate a password reset using that secondary email. The system sends a reset link. The attacker can then set a new password and sign in using direct password authentication, bypassing the LDAP server. No additional privileges or network position are required beyond having a valid LDAP account with a confirmed secondary email. [1]
Impact
Successful exploitation allows an LDAP user to gain direct password-based authentication to GitLab, bypassing LDAP authentication. This could lead to unauthorized access if the LDAP server enforces additional restrictions, or allow the user to maintain access even if their LDAP account is disabled. The confidentiality, integrity, and availability impact depends on the user's permissions within GitLab. [1]
Mitigation
GitLab has released fixed versions: 16.7.6, 16.8.3, and 16.9.1. Users should upgrade to these versions or later. As a workaround, disabling password authentication globally (setting password_authentication_enabled_for_web? to false) mitigates the vulnerability, as the reset email would not be sent. [1]
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: >=16.1, <16.7.6; >=16.8, <16.8.3; >=16.9, <16.9.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- gitlab.com/gitlab-org/gitlab/-/issues/438144mitreissue-trackingpermissions-required
News mentions
1- GitLab Security Release: 16.9.1, 16.8.3, 16.7.6GitLab Security Releases · Feb 21, 2024