Skip to content

Manual job variables can be leaked on any instance without auth

⚠️ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #3026559 by pwnie on 2025-03-08, assigned to @ngeorge1:

Report | How To Reproduce

Report

Summary:
The GitLab GraphQL endpoint exposes manual CI/CD variables associated with manual deployments to unauthorized users—even unauthenticated users in public projects. This lack of independent authorization allows an attacker to retrieve sensitive deployment secrets that should be restricted to maintainers or owners.

Steps to Reproduce:

  1. Set Up a Public Project and Manual Deployment Job:
    • Create a new public project on gitlab.com.
    • Add a deployment job with a manual trigger in your .gitlab-ci.yml: 
      stages:  
  - deploy  
deploy-manual:  
  stage: deploy  
  when: manual  
  script:  
    - echo "Deploying with manual variables"  
  environment:  
    name: staging
  2. Configure Manual Variables:
    • In the GitLab UI, configure one or more manual CI/CD variables for the job. These variables may contain sensitive information intended for secure, on-demand use.
  3. Access the Vulnerable Endpoint:
    • Open the GitLab GraphQL Explorer (or any GraphQL client) without logging in (or with a guest-level account).
  4. Execute the GraphQL Query:
    • Run the following query, replacing "your/full/project/path" with your actual project path: 
      query getJobManualVariables() {  
  project(fullPath: "your/full/project/path") {  
    pipelines {  
      nodes {  
        jobs {  
          nodes {  
            manualVariables {  
              nodes {  
                key  
                value  
                environmentScope  
              }  
            }  
          }  
        }  
      }  
    }  
  }  
}
  5. Observe the Issue:
    • The query response reveals the manual variables, including keys, values, and their environment scopes, even though this data should be restricted.

Impact:
An attacker (or any unauthenticated/guest user) can retrieve sensitive manual variables from public projects via the GraphQL API. This could lead to exposure of deployment secrets and other sensitive information, compromising the security of CI/CD processes.

Recommendation:
Implement independent, field-level authorization checks for the manualVariables field within the GraphQL API. Ensure that sensitive manual variables are only accessible to users with the necessary privileges (e.g., project maintainers or owners). Additionally, consider masking or restricting the display of sensitive values to prevent accidental disclosure.

By tightening access control on this GraphQL field, GitLab can better protect confidential deployment data and reduce the risk of unauthorized secret disclosure.

Impact

An attacker (or any unauthenticated/guest user) can retrieve sensitive manual variables from public projects via the GraphQL API. This could lead to exposure of deployment secrets and other sensitive information, compromising the security of CI/CD processes.

Impact

An attacker (or any unauthenticated/guest user) can retrieve sensitive manual variables from public projects via the GraphQL API. This could lead to exposure of deployment secrets and other sensitive information, compromising the security of CI/CD processes.

How To Reproduce

Please add reproducibility information to this section: