IDOR able to add any project runner to the attacker project and manage the runner via POST /api/v4/projects/{projectId}/runners

⚠️ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #3356284 by iamgk808 on 2025-09-24, assigned to GitLab Team:

Report | Attachments | How To Reproduce

Report

Summary

Hackerone team note:
PR:L - because the custom role is only used in the attacker group, not in the victim group

I found a weird bug where a custom role can add any project runner to an attacker project and control, like edit, pause, etc...

==The main issue is that the custom role guest+Manage runners can add any project runner in the instance & control it==

simple POC:
victim :

1. victim creates a private project & adds a runner to it

attacker:

1. attacker creates an attacker-group-1 & adds ultimate trial to it
2. attacker creates a custom role guest+Manage runners & adds the attacker-2 with the custom role
3. attacker creates a attacker-project-1 in the attacker-group-1 & notes the project ID
4. Log in as attacker-2 & use the below API & where the runner ID is the victim runner ID (it's an incremental value, so it's too guessable & also in the local instance it starts with 1, 2, 3, 4, etc...)

curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/9/runners" \  
     --form "runner_id=9"  

5. Go to the attacker-project-1 > ci/cd settings> runners, where you can manage the victim runner like edit, pause, etc...

Steps to reproduce

two users - victim, attacker-1, attacker-2

Victim steps:

1. Create a new group called group-1 & apply GitLab Ultimate trial to it

2. In the group, create a private project called project-1

3. go to project-1 > ci/cd settings> runners & create a project runner
   
   

4. Then follow the register runner setup & add the runner
   

5. Note the runner ID in the URL
   

attacker steps:

1. Create a new group called attacker-group-1 & apply GitLab Ultimate trial to it
2. attacker-1 creates a custom role guest+Manage runners & adds the attacker-2 with the custom role
3. attacker-1 creates a attacker-project-1 in the attacker-group-1 & notes the project ID
4. Log in as attacker-2 & use the below API & where the runner ID is the victim runner ID (it's an incremental value, so it's too guessable & also in the local instance it starts with 1, 2, 3, 4, etc...)

Replace the value below,

project-id with the attacker attacker-project-1
runner_id with the victim runner ID
your_access_token - create an api scope token with the attacker-2 account

curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/project-id/runners" \  
     --form "runner_id=9"  

5. Go to the attacker-project-1 > ci/cd settings> runners, where you can manage the victim runner like edit, pause, etc...

Impact

IDOR able to add any project runner to the attacker project and manage the runner

Examples

What is the current bug behavior?

IDOR able to add any project runner to the attacker project and manage the runner

What is the expected correct behavior?

Only the authorized user can edit

Relevant logs and/or screenshots

Output of checks

This bug happens on GitLab.com

Results of GitLab environment info

Impact

IDOR able to add any project runner to the attacker project and manage the runner

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• image.png
• image.png
• image.png
• image.png
• image.png
• image.png
• image.png
• image.png

How To Reproduce

Please add reproducibility information to this section: