GitLab inbound email issue notification

Jim Thavisouk ·
Mar 6, 2018 · 1 min read provides users the capability to create new issues via email, which can also be managed by Service Desk. This is accomplished through a dynamically generated email address that is currently being managed with GitLab's domain name ( It has come to our attention that an attacker can abuse this process to perform actions outside the intended scope with the domain. This issue impacts users who are using email an issue to project, Reply by Email, and Service Desk.

Customer remediation steps

Our users should check to see if they are using the create new issues via email feature.

If aliases were used, update those aliases from to

If domain whitelisting was used, please update those domains from to

These changes can be made immediately.

GitLab remediation strategy

We will update the addresses from to

We will reach out to users directly that are still using the old address to make sure the new addresses are being used instead, by April 17, 2018.

All addresses with the domain will be disabled April 31, 2018. Incoming email to the address will be rejected.

Edit this page View source