Back to blog
GitLabDevOpsCVE

GitLab and CVE-2023-7028: why this password-reset flaw worried everyone

Published on 2026-04-116 min readCleanIssue

> TL;DR: CVE-2023-7028 allowed account takeover through password reset without user interaction in some GitLab versions. Here is why it left such a mark.

A flaw in a platform that concentrates code, secrets, and CI

GitLab published a critical security release in January 2024 explaining that CVE-2023-7028 allowed account takeover through the password reset workflow without user interaction. The official release notes assign it a CVSS 10.0 severity.

Why the impact goes beyond authentication

On GitLab, taking over an account does not only mean reading source code. It can also expose pipelines, secret variables, artifacts, registries, issue history, and deployment workflows.

What this says about DevOps platforms

Development platforms are risk multipliers. An authentication flaw there is not equivalent to an ordinary application login flaw. It can become a path into the internal supply chain.

The lesson for 2026

Teams need to review GitLab versions, MFA posture, audit logs, secret rotation, and logs related to suspicious password resets. GitLab itself recommended broader incident-response actions than a simple patch alone.

Our view

CVE-2023-7028 is a strong reminder that on DevOps platforms, an account flaw can quickly become an organizational flaw. The core risk is the concentration of power inside one platform.

Key Takeaways

  • Identify and test your exposed attack surfaces before a third party does.
  • Client-side security controls never replace server-side validation.
  • Regular audits are more effective than one-time checks — vulnerabilities appear with every deployment.
  • Building HR, payroll, or recruiting software? CleanIssue performs security audits for HR SaaS in real-world conditions, no source code access needed. For a first read of your exposure, start with an external review of your application.

    Need an external review of your HR SaaS?

    Share your product, stack, and client context. We will come back with the right review scope.

    Discuss your audit