GitLab Releases Critical Patches to Address 2FA Bypass and DoS Vulnerabilities
GitLab has recently issued critical security updates for both its Community Edition (CE) and Enterprise Edition (EE), addressing five significant vulnerabilities identified in versions 18.8.2, 18.7.2, and 18.6.4. These vulnerabilities range from high-severity authentication flaws to denial-of-service (DoS) conditions that could severely impact the platform’s core functionality.
Critical 2FA Bypass Vulnerability
The most pressing of these vulnerabilities is CVE-2026-0723, which involves an unchecked return value in the authentication services, potentially allowing attackers to bypass two-factor authentication (2FA). By exploiting this flaw, an attacker with knowledge of a victim’s credential ID could submit forged device responses, thereby gaining unauthorized access to user accounts. This vulnerability affects versions 18.6 through 18.8 and has been assigned a CVSS score of 7.4, indicating a high risk to both confidentiality and integrity.
Authorization and DoS Vulnerabilities
In addition to the 2FA bypass, two critical DoS vulnerabilities have been identified:
– CVE-2025-13927: This vulnerability exploits the Jira Connect integration, allowing unauthenticated users to craft malformed authentication requests that can disrupt service. It affects versions 11.9 through 18.8.x and carries a CVSS score of 7.5.
– CVE-2025-13928: This issue involves incorrect authorization validation in the Releases API, enabling unauthorized users to trigger DoS conditions. It impacts versions 17.7 through 18.8.x and also has a CVSS score of 7.5.
Both vulnerabilities pose significant threats to the stability and availability of GitLab services.
Additional Vulnerabilities
Two medium-severity vulnerabilities have also been addressed:
– CVE-2025-13335: This vulnerability involves an infinite loop in Wiki redirects, which authenticated users can exploit by submitting malformed Wiki documents that bypass cycle detection. It affects versions 17.1 through 18.8.x and has a CVSS score of 6.5.
– CVE-2026-1102: This issue targets the API endpoint through repeated malformed SSH authentication requests from unauthenticated sources. It affects versions 12.3 through 18.8.x and has a CVSS score of 5.3.
Recommendations
GitLab strongly recommends that all self-managed installations be upgraded immediately to the latest versions to mitigate these vulnerabilities. Users of GitLab.com are already protected, and Dedicated customers require no action.
It’s important to note that database migrations may cause downtime on single-node instances. However, multi-node deployments can implement zero-downtime procedures. Post-deploy migrations are available for version 18.7.2.
Organizations should prioritize these upgrades to address the 2FA bypass vulnerability and prevent potential account compromises. Patch notifications are available via RSS feed subscription through GitLab’s security releases channel.
