Mar 6, 2018 - Jim Thavisouk    

GitLab inbound email issue notification

We've identified a potential risk impacting those using our email an issue to project, Reply by Email, and Service Desk features. provides users the capability to create new issues via email, which can also be managed by Service Desk. This is accomplished through a dynamically generated email address that is currently being managed with GitLab's domain name ( It has come to our attention that an attacker can abuse this process to perform actions outside the intended scope with the domain. This issue impacts users who are using email an issue to project, Reply by Email, and Service Desk.

Customer remediation steps

Our users should check to see if they are using the create new issues via email feature.

If aliases were used, update those aliases from to

If domain whitelisting was used, please update those domains from to

These changes can be made immediately.

GitLab remediation strategy

We will update the addresses from to

We will reach out to users directly that are still using the old address to make sure the new addresses are being used instead, by March 20, 2018.

All addresses with the domain will be disabled April 3, 2018. Incoming email to the address will be rejected.

For the latest and most detailed news follow @gitlab on Twitter. Future blog posts suggestions RSS

Install GitLab in 2 minutes

With Ubuntu, Debian, CentOS, openSUSE, and Raspbian packages or from source

Install GitLab Now