A group member who joined by requesting access can access group without setting up 2FA despite group Requires 2FA on all members

⚠️ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2919391 by salh4ckr on 2025-01-01, assigned to @ngeorge1:

Report | Attachments | How To Reproduce

Report

Summary

Hello, Happy new Year,

Gitlab has a group protection option that restricts access to only members with 2fa enabled on their accounts, [more here] 1

but i found weird behavior where this 2fa enforcement do not apply to members who self requested access to a group.

Steps to reproduce
As OWNER
  1. Create Group A and apply ultimate trial

  2. Go to Group A settings (-/edit#js-permissions-settings) and Enable option called "All users in this group must set up two-factor authentication"

As User 1
  1. Go to https://gitlab.com/groups/Group A

  2. Click on 3 dots on right corner and click on Request access

As OWNER

  1. Go to groupA/-/group_members and click on Access requests and accept User

  2. Add user 2 as a member, so Now your group has 2 members.

As User1

  1. Go to Group A you will see that you have access on a group

As User 2

  1. Go to Group A you will see that you don't have until you setup 2FA

Video

What is the current bug behavior?

2FA enforcement on group does not apply to group members who joined a group by requesting access

What is the expected correct behavior?

2FA enforcement should applies to all group members

Impact

A group member who joined by requesting access can access group without setting up 2FA, this put a group at risks of unauthorized access even if owner protected his/her group by requiring 2fa before accessing a group.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: