Skip to content

Service Desk email is accessible by users with the Guest role (private project) and non-project members (public project)

⚠️ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2956315 by iamgk808 on 2025-01-24, assigned to @greg:

Report | Attachments | How To Reproduce

Report

Summary

Service Desk email is leaked in the HTML for all users, regardless of their role in a project. The documentation states that only users with the Reporter role or above should be able to view the Service Desk email
Screenshot_2025-01-24_122516.png
<image with researcher emails redacted>

Already fixed bugs :
#349881 (closed)\ #342823 (closed)

Steps to reproduce

private project :

Guest users can see the Service desk email in a private project

  1. log in to GitLab create a private project and navigate to the project.
  2. Navigate to Settings ->General -> Service Desk and toggle Activate Service Desk and click Save changes
    image.png
  3. Now navigate to Project information -> Members and invite a user as a Guest
  4. Now login as a Guest user and navigate to Issues -> Service Desk, the email address is not shown in the UI
  5. Now navigate to https://gitlab.com/[Group-name]/[PROJECT_name]/-/issues/service_desk and view page source & search for data-service-desk-email-address
    https://gitlab.com/group-2025/project-11/-/issues/service_desk

image.png
image.png

public project:

non-project members can see the Service desk email in public project

  1. log in to GitLab create a public project and navigate to the project.
  2. Navigate to Settings ->General -> Service Desk and toggle Activate Service Desk and click Save changes

image.png

  1. in private tab navigate to https://gitlab.com/[Group-name]/[PROJECT_name]/-/issues/service_desk and view page source & search for data-service-desk-email-address
    https://gitlab.com/group-2025/project-11/-/issues/service_desk\ image.png

image.png

Impact

Service Desk email accessible by users with the Guest role and non-project members

Examples

https://gitlab.com/group-2025/project-11

What is the current bug behavior?

Service Desk email accessible by users with the Guest role and non-project members

What is the expected correct behavior?

According to the docs, the service desk email should not be leaked for any user below the reporter role.

Relevant logs and/or screenshots
Output of checks

N/A

Impact

Service Desk email is accessible by users with the Guest role and non-project members

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section:

Edited by ADandy