12/02/2025
CISA sounds alarm on critical GitLab flaw under active exploit
The US Cybersecurity and Infrastructure Security Agency (CISA) has labelled a critical vulnerability affecting the popular Git-based repository manager GitLab as a Known Exploited Vulnerability (KEV). The move comes in response to active exploitation attempts detected in the wild, underscoring the urgency for organisations to promptly apply security updates.
Tracked as CVE-2023-7028, the severe flaw (CVSS score: 10.0) could enable adversaries to take over user accounts by sending password reset emails to unverified email addresses. CISA’s KEV catalogue lists publicly known cybersecurity vulnerabilities that carry a significant risk to federal agencies and are actively exploited by threat actors.
GitLab initially disclosed the flaw in January 2023. The vulnerability, introduced as part of a code change in version 16.1.0 released on May 1, 2023, impacts “all authentication mechanisms” across affected versions.
“Additionally, users who have two-factor authentication enabled are vulnerable to password reset but not account takeover as their second authentication factor is required to login,” GitLab stated in its advisory.