Skip to content

Bypassing the new feature in Gitlab 18.0 "Disable user invitations"

⚠️ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #3148693 by mateuszek on 2025-05-15, assigned to @katwu:

Report | Attachments | How To Reproduce

Report

1. Description:
There is the new feature in Gitlab 18.0 named "Disable user invitations" - I found bypass for it :)

docs: https://about.gitlab.com/releases/gitlab-com/#disable-user-invitations

screenshot1.png

In general if we turn on this feature then user with access to invite other users or groups to our group doesn't see buttons to invite a user or a group to our group BUT I found that it is still possible to invite the whole group with users to our group without any problems!

It is a bit complicated scenario - I will write the steps soon in the comment for this report!

Best regards,
Mateusz

Impact

  • Bypassing the new feature in Gitlab 18.0 "Disable user invitations"

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: