Non-group members can be added to projects even though the "Users cannot be added to projects in this group" feature is active in the victim group

⚠️ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #3209641 by rhidayahh on 2025-06-19, assigned to GitLab Team:

Report | Attachments | How To Reproduce

Report

Description

In groups, users can enable the "Users cannot be added to projects in this group" feature, which means that users who want to be made members of a project in a group must first become members of the group. However, this can still be bypassed and the result is that users who are not members of the group can still be made members of the project. This is not in accordance with the expected behavior that the application should reject.

Reproduction Steps

Users

• User A (victim)
• User C (attacker)
• User D (attacker)

Steps

1. From User A, create a public group > invite User C to your group as "Maintainer" > create a public project in the group > then enable the "Users cannot be added to projects in this group" feature in the group settings.
2. From User C, visit User A's profile > enter the group > enter the project in it > in the UI you will not be able to add users, even the feature is not available.
3. From User D, visit User A's profile > enter his group > enter the project in it > then request access to the project.
4. From User C, refresh the page > you will see that User D is requesting access to the project in User A's group > then accept User D's access request > User D automatically joins as a member of the project in the group even though User A has activated the feature "Users cannot be added to projects in this group" and User D should be a member of the group first before becoming a member of the project in the group.

Proof of Concept (PoC)

bandicam_2025-06-19_14-05-00-302.mp4

Recommendation

The application should reject when a user receives an access request from another user in the group project.

Impact

1. Non-group members can be added to a project even if the group owner has enabled the "Users cannot be added to projects in this group" feature.
2. Violating group policies.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• bandicam_2025-06-19_14-05-00-302.mp4

How To Reproduce

Please add reproducibility information to this section: