Bleeping Computer reports that GitLab has released patches for a critical vulnerability that allowed attackers to bypass two-factor authentication. This flaw, tracked as CVE-2026-0723, affected both community and enterprise editions of the software development platform.The vulnerability stemmed from an unchecked return value in GitLab's authentication services, enabling attackers with knowledge of a target's account ID to circumvent two-factor authentication by submitting forged device responses. In addition to this critical flaw, GitLab also addressed two high-severity denial-of-service (DoS) vulnerabilities (CVE-2025-13927 and CVE-2025-13928) and two medium-severity DoS vulnerabilities (CVE-2025-13335 and CVE-2026-1102). These issues could be exploited through crafted requests, malformed authentication data, incorrect authorization validation, or malformed Wiki documents.GitLab has released versions 18.8.2, 18.7.2, and 18.6.4 to fix these issues, urging all self-managed installations to upgrade immediately. GitLab.com is already patched, and GitLab Dedicated customers require no action. With nearly 6,000 GitLab CE instances exposed online and over 45,000 devices identified with a GitLab fingerprint, the potential impact of these vulnerabilities is significant.Source: Bleeping Computer
Identity, Vulnerability Management, Patch/Configuration Management, DevOps

GitLab patches critical 2FA bypass vulnerability

(Credit: monticellllo – stock.adobe.com)

Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



