Steps to reproduce
Go to https://pre.gitlab.com
Here any one can register and can view the pre production projects of gitlab developers.
I have registered in https://pre.gitlab.com/users/sign_in
and have created one test group and test project
i have created one test group
And i have created one test project
I went to look for gitlab project members https://pre.gitlab.com/qa-perf-testing/gitlabhq/project_members
I have seen it was created by your gitlab employee Ramya Authappan
The attacker not only access the internal projects of gitlab but he can also create groups and projects in pre production server of gitlab.
Attacker will access the pre production server of gitlab and he access the groups and projects created by gitlab employees.
Attacker will also create the projects and groups in pre production server of gitlab.