CVE-2022-1680
Published: 06 June 2022
Summary
CVE-2022-1680 is a critical-severity an unspecified weakness vulnerability in Gitlab Gitlab. Its CVSS base score is 9.9 (Critical).
Operationally, ranked in the top 11.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2022-1680 is an account takeover vulnerability in GitLab EE that affects all versions from 11.10 up to but not including 14.9.5, from 14.10 up to but not including 14.10.4, and from 15.0 up to but not including 15.0.1. The flaw exists in the interaction between group SAML SSO and the SCIM feature, which is available only to Premium and Ultimate subscribers; it allows an attacker to alter user email addresses, display names, and usernames through SCIM after an initial invitation.
A Premium group owner who has configured group SAML SSO can exploit the issue by inviting arbitrary users via username and email, then using SCIM to redirect those accounts to attacker-controlled email addresses. In the absence of 2FA on the target accounts, the attacker can subsequently take them over, gaining full access to the victim's permissions and data within the GitLab instance.
GitLab has published patches that remediate the vulnerability in the fixed releases listed above; the official advisories and issue tracker entries at gitlab.com/gitlab-org/cves and gitlab.com/gitlab-org/gitlab/-/issues/363058 contain the version-specific upgrade guidance and configuration recommendations.
EPSS for this CVE rose from a low baseline to a peak of 0.1162 on 2025-12-11 before receding to the current value of 0.0389, indicating that exploitation interest increased well after the original disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-24966
Vulnerability details
An account takeover issue has been discovered in GitLab EE affecting all versions starting from 11.10 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1. When group SAML SSO is configured, the SCIM…
more
feature (available only on Premium+ subscriptions) may allow any owner of a Premium group to invite arbitrary users through their username and email, then change those users' email addresses via SCIM to an attacker controlled email address and thus - in the absence of 2FA - take over those accounts. It is also possible for the attacker to change the display name and username of the targeted account.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.