Blog News GitLab inbound email issue notification
March 6, 2018
1 min read

GitLab inbound email issue notification

We've identified a potential risk impacting those using our email an issue to project, Reply by Email, and Service Desk features.

Blog fallback hero provides users the capability to create new issues via email, which can also be managed by Service Desk. This is accomplished through a dynamically generated email address that is currently being managed with GitLab's domain name ( It has come to our attention that an attacker can abuse this process to perform actions outside the intended scope with the domain. This issue impacts users who are using email an issue to project, Reply by Email, and Service Desk.

Customer remediation steps

Our users should check to see if they are using the create new issues via email feature.

If aliases were used, update those aliases from to

If domain whitelisting was used, please update those domains from to

These changes can be made immediately.

GitLab remediation strategy

We will update the addresses from to

We will reach out to users directly that are still using the old address to make sure the new addresses are being used instead, by April 17, 2018.

All addresses with the domain will be disabled April 31, 2018. Incoming email to the address will be rejected.

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum. Share your feedback

Ready to get started?

See what your team could do with a unified DevSecOps Platform.

Get free trial

New to GitLab and not sure where to start?

Get started guide

Learn about what GitLab can do for your team

Talk to an expert