Privileges escalation to access to Gitlab Pages when it is set "Only Project Members"
HackerOne report #3250156 by mateuszek on 2025-07-13, assigned to @katwu:
Report | Attachments | How To Reproduce
Report
1. Description:
In general I found a bit weird behaviour of Gitlab system.
I created the Gitlab Pages.
Then in group settings I set:
Pages access control
Restrict access to only project members on all group projects
(When enabled, all projects in the group and its subgroups become visible only to members.)
Then I noticed that when I logged into Gitlab by Google Auth as not member of the group and project then I have access to the Gitlab Pages that I created without any problems.
Next I checked the settings in the PoC project:
Everything looks fine BUT logged into Gitlab users by Google Auth have access to my Gitlab Pages without any problems :)
2. Scenario:
2.1. Short scenario for confirmation:
- Login to the Gitlab cloud by Google Auth then try to enter to the below my Gitlab Pages:
https://mateuszek-poc-public-project-may-67e224.gitlab.io
You should have access to this page without any problems.
2.2. Long confirmation:
- Create the Gitlab Pages in your project e.g.: from the below tutorial:
https://about.gitlab.com/blog/build-a-new-website-in-a-few-easy-steps-with-gitlab-pages/ - In the public group settings go to:
Settings->General->Permissions and group features->Pages access control- check that checkbox - In the public project (project inside PoC group) settings go to:
Settings->General->Visibility, project features, permissions->Pagesand notice that it should set asOnly Project Members - Enter to the PoC created Gitlab Pages from the second account that login to Gitlab cloud by Google Auth
Best regards,
Mateusz
Impact
- Privileges escalation to access to Gitlab Pages when it is set "Only Project Members"
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: