An issue has been discovered in GitLab EE affecting all versions starting from 16.8 before 16.8.2. When a user is assigned a custom role with manage_group_access_tokens permission, they may be able to create group access tokens with Owner privileges, which may lead to privilege escalation.
Credits
This vulnerability has been discovered internally by GitLab team member [Rohit Shambhuni](https://gitlab.com/rshambhuni)
