GitLab Patches High-Severity 2FA Bypass and Multiple DoS Flaws in CE and EE Releases

CyberDefender 3 mins0

GitLab has released patches for a high-severity vulnerability that allowed attackers to bypass two-factor authentication (2FA) on its platform, impacting both the Community Edition (CE) and Enterprise Edition (EE).

Tracked as CVE-2026-0723, the flaw was caused by an unchecked return value in GitLab’s authentication services. An attacker with prior knowledge of a user’s account ID could exploit this weakness to circumvent 2FA protections.

“GitLab has remediated an issue that could have allowed someone with existing knowledge of a victim’s credential ID to bypass two-factor authentication by submitting forged device responses,” the company said.

Additional High-Severity DoS Vulnerabilities

GitLab also fixed two other high-severity security issues that could be exploited by unauthenticated attackers to cause denial-of-service (DoS) conditions:

  • CVE-2025-13927 – Crafted requests with malformed authentication data could crash or disrupt services.
  • CVE-2025-13928 – Incorrect authorization checks in certain API endpoints could be abused to trigger DoS.

Medium-Severity Issues Addressed

In addition, two medium-severity DoS vulnerabilities were patched:

  • CVE-2025-13335 – Malformed Wiki documents could bypass cycle detection and exhaust system resources.
  • CVE-2026-1102 – Repeated malformed SSH authentication requests could be used to degrade availability.

Patched Versions and Upgrade Guidance

To address these issues, GitLab released versions 18.8.2, 18.7.2, and 18.6.4 for both CE and EE.

“These releases include important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded immediately,” the company said.

GitLab.com is already running the patched versions, and GitLab Dedicated customers do not need to take any action.

Exposure and Security Context

Internet security watchdog Shadowserver is currently tracking nearly 6,000 GitLab CE instances exposed online. Meanwhile, Shodan has identified more than 45,000 internet-facing devices with a GitLab fingerprint.

This update follows earlier security advisories. In June 2025, GitLab patched multiple high-severity vulnerabilities related to account takeover and missing authentication checks, again urging customers to upgrade promptly.

GitLab’s Reach

GitLab says its DevSecOps platform has more than 30 million registered users and is used by over 50% of Fortune 100 companies, including Nvidia, Airbus, T-Mobile, Lockheed Martin, Goldman Sachs, and UBS.

CyberDefender