lolcreds

Public credential defaults and exposure patterns for authorized security testing.

GitLab

GitLab Inc.CI/CD13 credentials1 default credential

Credentials13 documented
01

Initial Root Password

gitlab / initial-root-password

Omnibus and Docker GitLab generate a random root password on first boot and write it to /etc/gitlab/initial_root_password. The file is auto-deleted 24 hours after install.

generated on installsecretpassword

Looks like

pattern
pattern

line inside the initial_root_password file; the value itself is per-install and has no fixed shape

^Password:\s+\S+$

Location

config file
/etc/gitlab/initial_root_password
logs

container / journald output on first boot in some deployments

Notes

Auto-deletion at 24 h is a mitigation, not a guarantee — it removes the file, not any access already captured, and not the account itself if never secured. The initial_root_password value can also be pre-set via gitlab_rails['initial_root_password'] in /etc/gitlab/gitlab.rb, which means the same value can leak from a plaintext gitlab.rb backup.

02

gitlab.rb Configuration Secrets

gitlab / gitlab-rb-secrets

The Omnibus main config file /etc/gitlab/gitlab.rb stores multiple secrets in plaintext: initial_root_password, database password (gitlab_rails['db_password']), initial_shared_runners_registration_token, Redis password, SMTP credentials, LDAP bind password, and more. The vendor explicitly documents that this file "should have file permissions 0600 because it contains plain-text passwords."

user definedsecretsecret value

Looks like

pattern
pattern

plaintext assignment in gitlab.rb; the value inside the quotes is the credential (Ruby DSL assignment; shape of the value is arbitrary)

gitlab_rails\['(db_password|initial_root_password|initial_shared_runners_registration_token)'\]\s*=\s*'[^']+'
pattern

MD5-hashed Postgres password (still directly usable with the DB)

postgresql\['sql_user_password'\]\s*=\s*'[a-f0-9]{32}'

Location

config file
/etc/gitlab/gitlab.rb

main Omnibus configuration; 0600 by design, world-readable in backups

build artifact

gitlab-ctl backup-etc archives, config-management output, snapshots

Notes

This is the single highest-value file on a GitLab host — one read hands you the DB password, the Rails-seeded root credential, and any pre-set runner registration tokens. Frequently exposed via misconfigured backups, config-management repos, and container images built with the file baked in.

03

Rails Encryption Secrets (gitlab-secrets.json)

gitlab / gitlab-secrets-json

/etc/gitlab/gitlab-secrets.json holds the Rails secret_key_base, db_key_base, and OTP/OpenID signing keys. These keys decrypt every encrypted value in the GitLab database — including stored CI/CD variables, integrations, and personal access tokens.

generated on installsecretsecret value

Looks like

pattern
pattern

JSON key/value pair; 64+ char hex value is the credential (config-file secret pattern — the key name identifies it)

"(secret_key_base|db_key_base|otp_key_base)":\s*"[a-f0-9]{64,}"

Location

config file
/etc/gitlab/gitlab-secrets.json
build artifact

gitlab-ctl backup-etc archives include this file

Notes

Losing this file is worse than losing an admin session — it lets an attacker decrypt every stored secret offline, including secrets belonging to users who never logged in through the attacker's access. Must be backed up separately from the DB backup, and consequently is often stored insecurely by operators who don't understand its role.

04

Bundled PostgreSQL User

gitlab / default-db-user

The Omnibus package's bundled PostgreSQL is created with the username 'gitlab' by default. Password is set via postgresql['sql_user_password'] (MD5-encoded) and consumed by gitlab_rails['db_password'] (plaintext).

static defaultcontext dependentusername/password

Default credentials

gitlab

Location

config file
/etc/gitlab/gitlab.rb

postgresql['sql_user_password'] and gitlab_rails['db_password']

database

bundled Postgres, TCP 5432 (localhost by default)

Notes

The bundled Postgres binds to localhost with peer/trust auth by default, so the username being "gitlab" isn't exploitable on its own — but the moment listen_address is changed for HA or external access, the known username plus a leaked gitlab.rb (see gitlab-rb-secrets) gives direct DB access. The DB holds every stored token in encrypted form; combined with gitlab-secrets.json it's a full offline compromise.

05

Personal / Project / Group Access Token

gitlab / personal-access-token

GitLab's family of user-scoped tokens all share the glpat- prefix: personal access tokens, impersonation tokens, project access tokens, and group access tokens.

user definedsecrettoken

Looks like

example
example
glpat-XXXXXXXXXXXXXXXXXXXX

Location

source code

git remote URLs, CI config, committed .env files

environment
GITLAB_TOKEN, CI_JOB_TOKEN, PRIVATE_TOKEN

Notes

Scope depends on how the token was minted; api scope is effectively full account access. The glpat- prefix was introduced specifically to make these detectable by secret scanners. Users routinely paste these into git remote URLs (https://oauth2:glpat-...@gitlab.example.com/…), which Git then writes to .git/config in plaintext.

06

OAuth Application Secret

gitlab / oauth-application-secret

Client secret for an OAuth 2.0 application registered in GitLab, used when GitLab acts as an OAuth provider for other services.

user definedsecrettoken

Looks like

example
example
gloas-XXXXXXXXXXXXXXXXXXXX

Location

source code

OAuth client configuration in downstream applications

config file

application config files that integrate with GitLab SSO

Notes

A leaked OAuth application secret lets an attacker impersonate the downstream application to GitLab, potentially receiving user tokens via a spoofed authorization flow.

07

Deploy Token

gitlab / deploy-token

Project-scoped credential (username + token) for cloning, pushing, and pulling packages and container registry images. Not tied to a user account and cannot be used with the GitLab API.

user definedsecrettoken

Looks like

example
example

prefix added in GitLab 16.7; older deploy tokens have no distinctive prefix

gldt-XXXXXXXXXXXXXXXXXXXX

Location

source code

docker login / helm registry login flows in CI files, kustomize configs

environment

Notes

Because deploy tokens have no user context, revocation and auditability are poor. A writable deploy token supports pushing malicious container images — a supply-chain concern for downstream consumers of the registry.

08

Deploy Key

gitlab / deploy-key

SSH key granting read-only or read-write access to a single repository, without a user account. The private key is what actually gets leaked.

user definedsecretkey pair

Looks like

pattern
pattern

identified by the header line; a full PEM example is multi-line and unhelpful as a specimen

-----BEGIN (OPENSSH|RSA|EC|DSA) PRIVATE KEY-----

Location

config file
~/.ssh/id_*, deploy.key in CI runner homedirs and Kubernetes Secrets
secret store

Notes

Scope is exactly one repo - smaller blast radius than a PAT, but writable deploy keys still enable per-repo supply-chain tampering. No 2FA, no user context.

09

Runner Authentication Token

gitlab / runner-authentication-token

Long-lived token stored on each GitLab Runner in config.toml, used to authenticate to GitLab and pick up jobs. Replaces the legacy runner registration token as of GitLab 16.0.

user definedsecrettoken

Looks like

example
example
glrt-XXXXXXXXXXXXXXXXXXXX
example

variant prefix when created via the legacy registration workflow

glrtr-XXXXXXXXXXXXXXXXXXXX

Location

config file
/etc/gitlab-runner/config.toml

token = "glrt-..." in each [[runners]] block

secret store

often referenced by Kubernetes Secrets when using the Runner Helm chart / operator

Notes

GitLab's own docs: "Malicious access to a runner's file system might expose the config.toml file and the runner authentication token. The attacker could use the runner authentication token to clone the runner." A cloned runner picks up real jobs and sees their secrets as they run. Common exposure: config.toml baked into container images or checked into infrastructure repos.

10

Runner Registration Token (legacy)

gitlab / runner-registration-token

Legacy instance/group/project token used to register new runners. Deprecated in favor of runner authentication tokens (GitLab 16.0+) but still functional on many self-managed instances.

user definedsecrettoken

Looks like

pattern
pattern

no distinctive prefix on legacy registration tokens; identified by context (found in gitlab.rb or CI onboarding scripts)

[A-Za-z0-9_\-]{20,}

Location

config file
/etc/gitlab/gitlab.rb

gitlab_rails['initial_shared_runners_registration_token']

source code

CI/CD onboarding scripts, Helm values files

Notes

A leaked registration token lets an attacker register their own runner to the instance/group/project, which then picks up real jobs and reads their CI variables. The initial_shared_runners_registration_token set in gitlab.rb is the highest-value variant — it's the instance-wide token, baked into a config file most operators forget grants runner registration to anyone who reads it.

11

CI/CD Job Token

gitlab / cicd-job-token

Short-lived token injected into every CI/CD job as CI_JOB_TOKEN. Valid only for the duration of the job; grants a limited set of API endpoints authenticated as the user who triggered the job.

generated on installsecrettoken

Looks like

example
example

prefix added in GitLab 16.9 (feature gated in 16.8)

glcbt-XXXXXXXXXXXXXXXXXXXX

Location

environment
CI_JOB_TOKEN
logs

echo'd into job logs by misconfigured pipelines; visible in artifacts

Notes

The token is short-lived but on shell/Docker Machine runners with MaxBuilds != 1 it can be captured by a subsequent job on the same host. Frequently accidentally echo'd in debug output despite GitLab's masking — masking is a display filter, not a control on what leaves the runner.

12

GitLab Agent for Kubernetes Token

gitlab / cluster-agent-token

Token that authenticates a GitLab Agent for Kubernetes back to the GitLab server. Grants the cluster agent the ability to receive configuration, run CI jobs on the cluster, and expose the cluster to GitLab-side features.

generated on installsecrettoken

Looks like

example
example
glagent-XXXXXXXXXXXXXXXXXXXX

Location

secret store

Kubernetes Secret used by the agent Helm chart (typically named gitlab-agent-token)

environment

Notes

The token authenticates one side of a bidirectional control channel between GitLab and the cluster. A leaked agent token is essentially persistent cluster access from anyone who can reach the GitLab instance.

13

Feed Token

gitlab / feed-token

Long-lived user token embedded in RSS/calendar feed URLs. Does not expire. Grants read-only access to the user's activity feed — including confidential issues — as if they were the user.

generated on installsecrettoken

Looks like

example
example
glft-XXXXXXXXXXXXXXXXXXXX

Location

source code

RSS/calendar URLs pasted into feed readers, wikis, bookmarks

http response

shared feed URLs in browser history and proxy logs

Notes

Users routinely paste their feed URL (containing the token) into shared calendar tools, wikis, and cross-team Slack messages, treating it as "just a link." Anyone with the token sees every issue the user can see. Reset immediately if exposed.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.