CVE-2023-7028
CVE-2023-7028 is a critical-severity vulnerability in Gitlab with a CVSS 3.x base score of 10.0. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2024-05-01). The underlying weakness is classified as CWE-640.
Key facts
- Severity: Critical (CVSS 3.x base score 10.0)
- EPSS exploit prediction: 95% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2024-05-01)
- EU (EUVD) id: EUVD-2023-59219
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2024-05-01)
- Weakness: CWE-640
- Affected product: Gitlab
- Published:
- Last modified:
Description
An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.
Frequently asked questions
- What is CVE-2023-7028?
- An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.
- How severe is CVE-2023-7028?
- CVE-2023-7028 has a CVSS 3.x base score of 10.0, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability none.
- Is CVE-2023-7028 being actively exploited?
- Yes. CVE-2023-7028 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2024-05-01, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2023-7028?
- CVE-2023-7028 primarily affects Gitlab. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2023-7028?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2023-7028 have an EU (EUVD) identifier?
- Yes. CVE-2023-7028 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2023-59219. It is also flagged as exploited in the EUVD (since 2024-05-01).
- When was CVE-2023-7028 published?
- CVE-2023-7028 was published on 2024-01-12 and last updated on 2026-06-17.
References
- https://gitlab.com/gitlab-org/gitlab/-/issues/436084
- https://hackerone.com/reports/2293343
- https://www.vicarius.io/vsociety/posts/critical-gitlab-account-takeover-vulnerability-cve-2023-7028
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-7028
Affected products (2)
- cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
- cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
More vulnerabilities in Gitlab
- CVE-2024-45409 — Critical (CVSS 10.0): The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 and 1.13.0 <=…
- CVE-2023-2825 — Critical (CVSS 10.0): An issue has been discovered in GitLab CE/EE affecting only version 16.0.0. An unauthenticated malicious user can use a…
- CVE-2022-0735 — Critical (CVSS 10.0): An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions…
- CVE-2021-22205 — Critical (CVSS 10.0): An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly…
- CVE-2019-9174 — Critical (CVSS 10.0): An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x…
- CVE-2018-18843 — Critical (CVSS 10.0): The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before…
Other CWE-640 vulnerabilities
- CVE-2025-63314 — Critical (CVSS 10.0): A static password reset token in the password reset function of DDSN Interactive Acora CMS v10.7.1 allows attackers to…
- CVE-2026-13019 — Critical (CVSS 9.8): Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes have a missing authentication for…
- CVE-2026-37106 — Critical (CVSS 9.8): An issue in DokuWiki 2025-05-14b "Librarian" 56.2 allows a remote attacker to create an account via the register…
- CVE-2026-12417 — Critical (CVSS 9.8): The SignUp & SignIn plugin for WordPress is vulnerable to Authentication Bypass via Weak Password Reset Validation…
- CVE-2026-12416 — Critical (CVSS 9.8): The Invoice Generator plugin for WordPress is vulnerable to Account Takeover via Password Reset in all versions up to,…
- CVE-2026-11551 — Critical (CVSS 9.8): The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and…