CVE-2022-1680

CVE-2022-1680 is a critical-severity vulnerability in Gitlab with a CVSS 3.x base score of 9.9. Its EPSS exploit-prediction score of 15% places it in the 96th percentile, indicating an elevated likelihood of exploitation.

Key facts

Description

An account takeover issue has been discovered in GitLab EE affecting all versions starting from 11.10 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1. When group SAML SSO is configured, the SCIM feature (available only on Premium+ subscriptions) may allow any owner of a Premium group to invite arbitrary users through their username and email, then change those users' email addresses via SCIM to an attacker controlled email address and thus - in the absence of 2FA - take over those accounts. It is also possible for the attacker to change the display name and username of the targeted account.

Frequently asked questions

What is CVE-2022-1680?
An account takeover issue has been discovered in GitLab EE affecting all versions starting from 11.10 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1. When group SAML SSO is configured, the SCIM feature (available only on Premium+ subscriptions) may allow any owner of a Premium group to invite arbitrary users through their username and email, then change those users' email addresses via SCIM to an attacker controlled email address and thus - in the absence of 2FA - take over those accounts. It is also possible for the attacker to change the display name and username of the targeted account.
How severe is CVE-2022-1680?
CVE-2022-1680 has a CVSS 3.x base score of 9.9, rated critical severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2022-1680 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 15% (96th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2022-1680?
CVE-2022-1680 primarily affects Gitlab. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2022-1680?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
When was CVE-2022-1680 published?
CVE-2022-1680 was published on 2022-06-06 and last updated on 2026-06-17.

References

Affected products (2)

More vulnerabilities in Gitlab

All CVEs affecting Gitlab →