Safeguard.sh
Vulnerability Analysis

GitLab Pipeline Execution Vulnerability CVE-2024-6678: Running Pipelines as Any User

CVE-2024-6678 allowed attackers to trigger GitLab CI/CD pipelines as arbitrary users, potentially accessing secrets and deploying malicious code through impersonated pipeline runs.

James
Threat Intelligence Lead
6 min read

On September 11, 2024, GitLab released a critical security update addressing CVE-2024-6678 (CVSS 9.9), a vulnerability that allowed an attacker to trigger a CI/CD pipeline as an arbitrary user under certain conditions. This was the latest in a series of critical pipeline execution vulnerabilities that have affected GitLab throughout 2024, following CVE-2024-5655 (June 2024), CVE-2024-6385 (July 2024), and CVE-2023-5009 (September 2023).

The recurring nature of these vulnerabilities, each affecting the same core pipeline execution authorization mechanism, raises questions about the security architecture of GitLab's CI/CD system.

Understanding the Vulnerability

GitLab's CI/CD pipelines execute with the permissions of the user who triggered them. This permission model determines which secrets (CI/CD variables), protected environments, and deployment targets the pipeline can access. If an attacker can trigger a pipeline as a different user, they inherit that user's permissions.

CVE-2024-6678 allowed an attacker with low-level access to a GitLab project to trigger pipeline execution in a way that impersonated another user, potentially an administrator or a user with access to production deployment credentials.

The specific conditions required for exploitation varied, but the core issue was insufficient validation of the user identity associated with pipeline execution contexts. In certain scenarios involving stopped environments and environment actions, the pipeline could be triggered with the permissions of the user who last interacted with the environment rather than the user initiating the new pipeline.

Affected versions:

  • GitLab CE/EE 8.14 through 17.1.7
  • GitLab CE/EE 17.2 through 17.2.5
  • GitLab CE/EE 17.3 through 17.3.2

Given the version range starting from 8.14, this vulnerability had existed in the codebase for years before being identified.

The Pattern of GitLab Pipeline Vulnerabilities

What makes CVE-2024-6678 particularly concerning is the pattern. GitLab has addressed multiple critical pipeline execution vulnerabilities in quick succession:

CVE-2023-5009 (September 2023, CVSS 9.6): Allowed running pipelines as arbitrary users through scheduled pipeline ownership transfer.

CVE-2024-5655 (June 2024, CVSS 9.6): Allowed triggering pipelines as another user under certain conditions related to merge request pipelines.

CVE-2024-6385 (July 2024, CVSS 9.6): Another pipeline execution vulnerability allowing impersonation, found during the investigation of CVE-2024-5655.

CVE-2024-6678 (September 2024, CVSS 9.9): The latest in the series, exploiting environment-related pipeline execution.

Each vulnerability exploits a different code path to achieve the same result: executing a pipeline with another user's permissions. This suggests that the authorization model for pipeline execution has fundamental complexity that makes it difficult to secure comprehensively. Every time one code path is fixed, another is discovered.

Why Pipeline Impersonation Is Critical

In a typical GitLab deployment, CI/CD variables contain some of the most sensitive credentials in the organization:

  • Cloud provider credentials: AWS access keys, GCP service account keys, Azure service principals used for infrastructure deployment.
  • Container registry tokens: Credentials to push images to Docker Hub, AWS ECR, or Google Container Registry.
  • Package registry tokens: npm tokens, PyPI API keys, Maven repository credentials used for publishing packages.
  • Production database credentials: Connection strings and passwords for production databases used in migration pipelines.
  • Signing keys: Code signing certificates and GPG keys used to sign releases.

These variables are typically restricted to specific branches (usually main or production) and specific environments (staging, production). The pipeline execution authorization model is the primary control that prevents unauthorized access to these secrets.

If an attacker can execute a pipeline as a user who has access to production-level secrets, they can exfiltrate those credentials, deploy malicious code, or tamper with software releases.

Exploitation Scenarios

Scenario 1: Secret Exfiltration

An attacker with developer-level access to a GitLab project triggers a pipeline as a maintainer or owner. The pipeline runs against a protected branch or environment, gaining access to production CI/CD variables. The attacker modifies the pipeline to exfiltrate these variables to an external endpoint.

Scenario 2: Supply Chain Compromise

An attacker triggers a release pipeline as a trusted user. The pipeline builds software, signs it with the organization's code signing key, and publishes it to a package registry. The attacker can inject malicious code into the build process, producing a signed, malicious release that appears legitimate.

Scenario 3: Infrastructure Compromise

An attacker triggers a deployment pipeline as a user with production environment access. The pipeline uses cloud provider credentials to deploy infrastructure changes. The attacker modifies the deployment to create backdoor access (new admin users, SSH keys, security group modifications).

Mitigation and Remediation

Immediate actions:

  1. Update GitLab to version 17.3.2, 17.2.5, or 17.1.7 (depending on your release track).
  2. Review pipeline execution logs for unusual activity, particularly pipelines triggered by unexpected users or targeting environments they do not normally access.
  3. Audit CI/CD variable access: Check whether any secrets were accessed by unauthorized pipelines during the exposure window.

Architectural improvements:

  • Minimize CI/CD variable scope: Restrict secrets to the narrowest possible scope. Use protected branches and protected environments to limit which pipelines can access sensitive variables.
  • Use OIDC federation instead of static credentials: GitLab supports OIDC token generation for CI/CD jobs. Use this to obtain short-lived credentials from cloud providers instead of storing long-lived access keys in CI/CD variables.
  • Implement pipeline approval gates: For production deployments, require manual approval from designated users. This adds a human checkpoint that impersonation alone cannot bypass.
  • Monitor pipeline execution patterns: Alert on pipelines triggered by unusual users, at unusual times, or targeting unusual environments. Establish baselines for normal pipeline behavior and investigate deviations.
  • Separate build and deploy permissions: Use GitLab's protected environment feature to ensure that deployment pipelines require explicit environment-level permissions, independent of project-level access.

The Broader CI/CD Security Challenge

The recurring GitLab pipeline vulnerabilities highlight a broader challenge in CI/CD security: the pipeline execution environment is one of the most privileged contexts in modern software development, yet it is often treated with less rigor than production server access.

A CI/CD pipeline typically has:

  • Read access to all source code in the repository.
  • Access to deployment credentials for multiple environments.
  • The ability to publish software packages and container images.
  • The ability to modify infrastructure through IaC deployments.

This combination of capabilities makes CI/CD pipelines a high-value target. The industry needs to treat pipeline security with the same seriousness as production infrastructure security.

How Safeguard.sh Helps

Safeguard.sh provides governance for your CI/CD pipeline security posture.

  • Pipeline dependency tracking monitors your GitLab instance version and configuration, alerting you when critical vulnerabilities like CVE-2024-6678 affect your deployment.
  • Secret lifecycle management helps you track which credentials are stored in CI/CD variables, when they were last rotated, and whether they are scoped appropriately.
  • Build provenance verification ensures that software artifacts were produced by authorized pipelines running under expected user identities, detecting unauthorized builds.
  • Policy enforcement codifies your pipeline security requirements, ensuring that production deployments require appropriate approvals, that secrets are scoped correctly, and that pipeline configurations meet your security standards.

Your CI/CD pipeline has the keys to your kingdom. Protecting those keys requires continuous vigilance.

gitlabci-cd-securitycve-2024-6678
Back to all articles

More on #gitlab

View all →
Emerging Technology

GitLab OIDC Token Theft: Workflow Research

8 min read
DevSecOps

GitLab CI/CD Security Hardening for 2025

5 min read
DevSecOps

Hardening GitLab vs GitHub Default Settings

6 min read
DevSecOps

GitLab CI/CD Security Configuration

4 min read

Related articles in Vulnerability Analysis

Vulnerability Analysis

CVE-2024-4367 PDF.js Arbitrary Code Execution

CVE-2024-4367 is a PDF.js code-execution flaw via font handling that affects Firefox, Thunderbird, and every embedder. Root cause and remediation.

March 14, 2026Read
Vulnerability Analysis

CVE-2025-24071 Windows Explorer NTLM Hash Leak

A .library-ms file extracted from a zip archive can leak NTLM hashes without the user opening anything. Breakdown of CVE-2025-24071 and the defensive response.

March 12, 2026Read
Vulnerability Analysis

CVE-2024-29849 Veeam Auth Bypass Analysis

CVE-2024-29849 is a CVSS 9.8 auth bypass in Veeam Backup Enterprise Manager. Root cause, exploitation, detection, and patching guidance.

March 10, 2026Read

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.