Skip to content

A group member who joined by requesting access can access group without setting up 2FA despite group Requires 2FA on all members

⚠️ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2919391 by salh4ckr on 2025-01-01, assigned to @ngeorge1:

Report | Attachments | How To Reproduce

Report

Summary

Hello, Happy new Year,

Gitlab has a group protection option that restricts access to only members with 2fa enabled on their accounts, [more here] 1

but i found weird behavior where this 2fa enforcement do not apply to members who self requested access to a group.

Steps to reproduce
As OWNER

  1. Create Group A and apply ultimate trial

  2. Go to Group A settings (-/edit#js-permissions-settings) and Enable option called "All users in this group must set up two-factor authentication"

As User 1

  1. Go to https://gitlab.com/groups/Group A

  2. Click on 3 dots on right corner and click on Request access

As OWNER

  1. Go to groupA/-/group_members and click on Access requests and accept User

  2. Add user 2 as a member, so Now your group has 2 members.

As User1

  1. Go to Group A you will see that you have access on a group

As User 2

  1. Go to Group A you will see that you don't have until you setup 2FA

Video
2FA.mp4

What is the current bug behavior?

2FA enforcement on group does not apply to group members who joined a group by requesting access

What is the expected correct behavior?

2FA enforcement should applies to all group members

Impact

A group member who joined by requesting access can access group without setting up 2FA, this put a group at risks of unauthorized access even if owner protected his/her group by requiring 2fa before accessing a group.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: