GitLab and CVE-2023-7028: why this password-reset flaw worried everyone
> TL;DR: CVE-2023-7028 allowed account takeover through password reset without user interaction in some GitLab versions. Here is why it left such a mark.
A flaw in a platform that concentrates code, secrets, and CI
GitLab published a critical security release in January 2024 explaining that CVE-2023-7028 allowed account takeover through the password reset workflow without user interaction. The official release notes assign it a CVSS 10.0 severity.
Why the impact goes beyond authentication
On GitLab, taking over an account does not only mean reading source code. It can also expose pipelines, secret variables, artifacts, registries, issue history, and deployment workflows.
What this says about DevOps platforms
Development platforms are risk multipliers. An authentication flaw there is not equivalent to an ordinary application login flaw. It can become a path into the internal supply chain.
The lesson for 2026
Teams need to review GitLab versions, MFA posture, audit logs, secret rotation, and logs related to suspicious password resets. GitLab itself recommended broader incident-response actions than a simple patch alone.
Our view
CVE-2023-7028 is a strong reminder that on DevOps platforms, an account flaw can quickly become an organizational flaw. The core risk is the concentration of power inside one platform.
Key Takeaways
Building HR, payroll, or recruiting software? CleanIssue performs security audits for HR SaaS in real-world conditions, no source code access needed. For a first read of your exposure, start with an external review of your application.
Related articles
Three adjacent analyses to keep exploring the same attack surface.
PHP and Laravel Ignition: why CVE-2021-3129 left such a mark
CVE-2021-3129 showed how an exposed Laravel debug component could open the door to remote code execution. Here is why this flaw still matters for the PHP ecosystem.
Java and Confluence: why CVE-2023-22515 forced urgent action
CVE-2023-22515 allowed unauthorized administrator account creation on exposed Confluence instances. Here is why this Java flaw forced urgent action.
WordPress CVE-2026-8206: unauthenticated admin takeover via the Kirki plugin
The Kirki WordPress plugin (6.0.0 to 6.0.6) lets an unauthenticated attacker take over an administrator account via a broken password reset. CVSS 9.8, active exploitation, ~150,000 sites exposed. Fix: 6.0.7.
Sources
Related services
If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.