TryHackMe - GitLab CVE-2023-7028
· Updated: Jul 7, 2026 · TryHackMe · Learn · Medium
Table of contents
TryHackMe - GitLab CVE-2023-7028
This room walks through CVE-2023-7028, a GitLab password reset vulnerability that allows an attacker to receive a copy of the password reset email intended for another user.
Understanding the Vulnerability
The issue is in the password reset flow. When a password reset is requested, GitLab sends the reset link to the registered email address. Due to the vulnerability, an attacker can supply both the victim’s email and their own email in the same request, causing GitLab to send the reset email to both addresses.
Exploiting the Vulnerability
I used the provided exploit script against the target GitLab instance. The script takes the target user email and the attacker email as arguments.
python3 exploit.py -u http://10.10.234.252:8000 -t victim@mail.gitlab.thm -e attacker@mail.gitlab.thm
The exploit first fetches the authenticity token from the password reset page, then submits the reset request with both email addresses.
[DEBUG] Getting authenticity_token ...
[DEBUG] authenticity_token = 4YCbDcI....
[DEBUG] Sending reset password request
[DEBUG] Emails sent to victim@mail.gitlab.thm and attacker@mail.gitlab.thm !
After running the exploit, I checked the attacker mailbox and found the password reset email for the victim account. Following the reset link allowed me to set a new password for the victim user and log in to GitLab.