Identity, Vulnerability Management, Patch/Configuration Management, DevOps

GitLab patches critical 2FA bypass vulnerability

(Credit: monticellllo – stock.adobe.com)

Bleeping Computer reports that GitLab has released patches for a critical vulnerability that allowed attackers to bypass two-factor authentication. This flaw, tracked as CVE-2026-0723, affected both community and enterprise editions of the software development platform.

The vulnerability stemmed from an unchecked return value in GitLab's authentication services, enabling attackers with knowledge of a target's account ID to circumvent two-factor authentication by submitting forged device responses. In addition to this critical flaw, GitLab also addressed two high-severity denial-of-service (DoS) vulnerabilities (CVE-2025-13927 and CVE-2025-13928) and two medium-severity DoS vulnerabilities (CVE-2025-13335 and CVE-2026-1102). These issues could be exploited through crafted requests, malformed authentication data, incorrect authorization validation, or malformed Wiki documents.

GitLab has released versions 18.8.2, 18.7.2, and 18.6.4 to fix these issues, urging all self-managed installations to upgrade immediately. GitLab.com is already patched, and GitLab Dedicated customers require no action. With nearly 6,000 GitLab CE instances exposed online and over 45,000 devices identified with a GitLab fingerprint, the potential impact of these vulnerabilities is significant.

Source: Bleeping Computer

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds