CVE-2023-4658 in Enterprise Edition
Summary
by MITRE • 12/01/2023
An issue has been discovered in GitLab EE affecting all versions starting from 8.13 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to abuse the `Allowed to merge` permission as a guest user, when granted the permission through a group.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 11/20/2025
The vulnerability identified as CVE-2023-4658 represents a critical access control flaw within GitLab Enterprise Edition that undermines the platform's permission management system. This issue affects a broad range of GitLab versions including those from 8.13 through 16.4.2, 16.5 through 16.5.2, and 16.6 through 16.6.0, creating a substantial window of exposure for organizations relying on GitLab for their source code management and collaboration workflows. The flaw specifically targets the `Allowed to merge` permission mechanism, which is fundamental to GitLab's merge request approval and code integration processes.
The technical implementation of this vulnerability stems from a logical error in GitLab's permission inheritance system where guest users can escalate their privileges through group-based access controls. When a guest user is granted the `Allowed to merge` permission through group membership rather than direct project-level assignment, the system fails to properly validate whether the guest user should have elevated merge capabilities. This permission bypass occurs because GitLab's access control logic does not adequately distinguish between different user roles when evaluating group-based merge permissions, allowing unauthorized individuals to perform merge operations they should not be permitted to execute.
The operational impact of this vulnerability extends beyond simple privilege escalation as it creates potential vectors for code integrity compromise and unauthorized modifications to source code repositories. Guest users who can exploit this vulnerability gain the ability to merge code changes directly into protected branches, potentially introducing malicious code, backdoors, or unintended modifications that could affect the entire software development lifecycle. This flaw particularly threatens organizations that utilize guest accounts for external collaboration, code review, or testing purposes, as it allows unauthorized individuals to bypass critical code review processes and merge operations that should be restricted to authorized team members.
Organizations affected by this vulnerability should immediately implement mitigation strategies including applying the relevant security patches released by GitLab for versions 16.4.3, 16.5.3, and 16.6.1, which address the permission validation logic. Security administrators should also conduct comprehensive audits of existing group-based merge permissions to identify and revoke any inappropriate guest user access. The vulnerability aligns with CWE-284, which describes improper access control, and maps to ATT&CK technique T1078.004 for valid accounts, as it allows unauthorized access through legitimate but improperly configured user permissions. Organizations should also consider implementing additional monitoring and alerting mechanisms around merge operations and permission changes to detect potential exploitation attempts and maintain continuous security posture assessment.