CVE-2023-7028

CVE Database · CVE-2023-7028

CVE-2023-7028

· CRITICALAnalyzed

CVSS v3.1

10.0

EPSS

94.95%

Published

Jan 12, 2024

Modified

Oct 24, 2025

CISA Known Exploited Vulnerability

Added: 2024-05-01 · Due: 2024-05-22

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Public PoC / Exploit (11)

All weaponized →

Exploit-DBGitLab CE/EE < 16.7.2 - Password Reset NucleiNuclei detection template TrickestTrickest PoC index GitHub PoCEsonhugh/gitlab_honeypot★4 GitHub PoCTrackflaw/CVE-2023-7028-Docker★3 GitHub PoCsariamubeen/CVE-2023-7028★3 GitHub PoCthanhlam-attt/CVE-2023-7028★2 GitHub PoCszybnev/CVE-2023-7028★2 GitHub PoChackeremmen/gitlab-exploit★1 GitHub PoCgh-ost00/CVE-2023-7028★1 GitHub PoCyoryio/CVE-2023-7028★0

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

Weaknesses (CWE)

CWE-640CWE-640

Affected Products (14)

gitlab · gitlab (up to 16.1.6)vulnerable

gitlab · gitlab (up to 16.2.9)vulnerable

gitlab · gitlab (up to 16.3.7)vulnerable

gitlab · gitlab (up to 16.4.5)vulnerable

gitlab · gitlab

References (6)

https://gitlab.com/gitlab-org/gitlab/-/issues/436084