Ability to Invite Users despite Disable invitation option is enabled on group via POST /api/v4/project/{id}/members

⚠️ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #3196745 by hunter0xp7 on 2025-06-12, assigned to @katwu:

Report | Attachments | How To Reproduce

Report

Summary

Hello,

This may look like #31767195, but endpints are different, #31767195 is group endpoint and this one is project endpoint.

Gitlab introduced new feature that allows group owners to disable user invitations on group, and when this option is enabled no one should be to invite other members, to a group are project in it. but i found that except preventing it via UI it is possible to use import API to add members on a project.

Steps to reproduce

As Owner

1.Create group-A and apply ultimate trial to it
2.Create project-A inside of your group-A
3. Invite User as Maintainer to your project-A
4.Enable Disable user invitations in group settings

As invited Maintainer

5. Go to group-A/project-A/-/project_members you will see that there is no option to invite users,
   Now send this request,

POST /api/v4/projects/project-A{Id}/members HTTP/2  
Host: gitlab.com  
Cookie: redacted  
Content-Length: 95  
Sec-Ch-Ua: "Chromium";v="117", "Not;A=Brand";v="8"  
X-Csrf-Token: redacted  
Sec-Ch-Ua-Arch: "x86"  
Sec-Ch-Ua-Platform-Version: "15.0.0"  
X-Requested-With: XMLHttpRequest  
Sec-Ch-Ua-Bitness: "64"  
Sec-Ch-Ua-Full-Version-List: "Chromium";v="117.0.5914.0", "Not;A=Brand";v="8.0.0.0"  
Sec-Ch-Ua-Model: ""  
Sec-Ch-Ua-Platform: "Windows"  
Sec-Ch-Ua-Mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36  
Content-Type: application/json  
Sec-Ch-Ua-Full-Version: "117.0.5914.0"  
Accept: application/json, text/plain, */*  
Sentry-Trace: bdca6f93fb024efa9536bb202c8c89e1-a0699c632884f4b4-0  
Origin: https://gitlab.com  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Accept-Encoding: gzip, deflate, br  
Accept-Language: en-US,en;q=0.9

{"format":"json","access_level":30,"invite_source":"project_members_page","user_id":"id"}

Video_POC

project.mp4

Impact

This feature helps organizations/groups maintain strict control over membership access, Failing to to so will bypass secuity measures for membership control

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• project.mp4

How To Reproduce

Please add reproducibility information to this section: