Notice for GitKraken users with GitLab

Oct 11, 2021 · 1 min read
Tanuki GitLab profile

We’re sharing details on a vulnerability found with the Axosoft GitKraken software. Axosoft found a defect in the key gen package used by GitKraken versions 7.6.0 to 8.0.0 that could generate weak or duplicate SSH keys. This could enable an attacker to gain unauthorized access to an account or repositories on or a self-managed instance.

Based on our investigations to date, there is no indication that or any projects on that use the GitKraken tool have been impacted by this vulnerability.

Who is affected?

This vulnerability affects GitKraken users who created SSH keys using GitKraken releases from May 12, 2021 (7.6.0) to the week of September 27, 2021 (8.0.0).

GitKraken 8.0.1, released on September 28, 2021, fixes the bug.

Action we have taken

If affected, action you need to take

If you used a version of GitKraken prior to 8.0.1 to generate SSH keys, we highly recommend that you take the following actions:

Self-managed customers:

  1. Revoke the SSH keys immediately. For additional instructions, see:

  2. Update GitKraken to the latest version:

  3. Generate new SSH keys: customers:

  1. Update GitKraken to the latest version:

  2. Generate new SSH keys:

More information can be found in Axosoft’s disclosure: and in CVE-2021-41117.

For questions or concerns regarding GitKraken or its use with GitLab, please contact Axosoft ([email protected]). For questions concerning your GitLab account, please contact our Support department.

“If you are using Axosoft’s GitKraken software with GitLab, upgrade immediately to 8.0.1 or later and update your SSH keys. Get more details in this blog post.” – GitLab

Click to tweet

Edit this page View source