The most critical security issue GitLab patched has the maximum severity score (10 out of 10) and is being tracked as CVE-2023-7028. Successful exploitation does not require any interaction.

It is an authentication problem that permits password reset requests to be sent to arbitrary, unverified email addresses, allowing account takeover. If two-factor authentication (2FA) is active, it is possible to reset the password but the second authentication factor is still needed for successful login.