GitLab has patched a high-severity two-factor authentication bypass impacting both the Community and Enterprise editions of its software development platform. Specifically tracked as CVE-2026-0723, this vulnerability stems from an unchecked return value weakness in GitLab’s authentication services. As a result, attackers who know a target’s account ID can circumvent two-factor authentication.
“GitLab has remediated an issue that could have allowed an individual with existing knowledge of a victim’s credential ID to bypass two-factor authentication by submitting forged device responses,” the company explained.
Additional High-Severity DoS Vulnerabilities
Beyond this issue, GitLab also fixed two high-severity flaws affecting GitLab CE/EE that could allow unauthenticated threat actors to trigger denial-of-service (DoS) conditions. In particular, attackers could send crafted requests with malformed authentication data (CVE-2025-13927) or exploit incorrect authorization validation in API endpoints (CVE-2025-13928).
Additionally, GitLab patched two medium-severity DoS vulnerabilities. These flaws can be exploited by configuring malformed Wiki documents that bypass cycle detection (CVE-2025-13335) and by sending repeated malformed SSH authentication requests (CVE-2026-1102).
Security Updates and Recommended Actions
To address these security flaws, the company released versions 18.8.2, 18.7.2, and 18.6.4 for GitLab Community Edition (CE) and Enterprise Edition (EE). Consequently, GitLab has advised administrators to upgrade to the latest version as soon as possible.
“These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately,” GitLab added. “GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.”
Meanwhile, internet security watchdog Shadowserver is currently tracking nearly 6,000 GitLab CE instances exposed online, while Shodan has discovered over 45,000 devices with a GitLab fingerprint.
Previously, in June 2025, GitLab patched high-severity account takeover and missing authentication security issues and urged customers to upgrade their installations immediately. According to GitLab, its DevSecOps platform now has over 30 million registered users and supports more than 50% of Fortune 100 companies, including Nvidia, Airbus, T-Mobile, Lockheed Martin, Goldman Sachs, and UBS.
Source: BleepingComputer, Sergiu Gatlan
Read more at Impreza News
