GitLab has released critical security patches addressing multiple vulnerabilities affecting both Community Edition (CE) and Enterprise Edition (EE).
Versions 18.8.2, 18.7.2, and 18.6.4 are now available to fix flaws that enable two-factor authentication bypass and denial-of-service attacks.
GitLab strongly recommends that all self-managed installations upgrade immediately, while GitLab.com has already deployed the patches.
Critical Authentication Bypass Vulnerability
The most severe flaw, tracked as CVE-2026-0723, is an unchecked return value issue in authentication services that allows attackers with knowledge of a victim’s credential ID to bypass two-factor authentication by submitting forged device responses.
This high-severity vulnerability (CVSS 7.4) affects GitLab versions from 18.6 through 18.8.1 and poses a significant risk to account security.
| CVE ID | Vulnerability | CVSS Score | Severity |
|---|---|---|---|
| CVE-2026-0723 | Unchecked Return Value in authentication services (2FA bypass) | 7.4 | High |
| CVE-2025-13927 | Denial of Service in Jira Connect integration | 7.5 | High |
| CVE-2025-13928 | Incorrect Authorization in Releases API | 7.5 | High |
| CVE-2025-13335 | Infinite Loop in Wiki redirects | 6.5 | Medium |
| CVE-2026-1102 | Denial of Service in API endpoint (SSH requests) | 5.3 | Medium |
Security researcher ahacker1 discovered and reported the flaw through GitLab’s HackerOne bug bounty program.
Organizations relying on two-factor authentication for privileged accounts should prioritize this patch immediately.
GitLab also patched three denial-of-service issues that unauthenticated attackers could exploit:
- CVE-2025-13927 allows attackers to crash GitLab instances by sending crafted requests with malformed authentication data to the Jira Connect integration. This flaw has existed since GitLab version 11.9 and carries a CVSS score of 7.5.
- CVE-2025-13928 involves incorrect authorization validation in the Releases API, enabling unauthenticated users to trigger service disruptions. This vulnerability affects versions 17.7 and later.
- CVE-2026-1102, discovered internally by GitLab team member Thiago Figueiró, impacts versions since 12.3.
Attackers can cause a denial-of-service condition by sending repeated malformed SSH authentication requests. However, this medium-severity flaw (CVSS 5.3) has a lower impact.
Additionally, CVE-2025-13335 addresses an infinite loop issue in Wiki redirects, allowing authenticated users to create specially crafted Wiki documents that bypass cycle detection and cause service disruptions.
GitLab emphasizes that all self-managed installations running affected versions must upgrade to the latest patch release immediately.
Single-node deployments will experience downtime during migration, whereas multi-node installations can implement zero-downtime upgrade procedures.
The company follows a responsible disclosure policy, publishing vulnerability details 30 days after patch releases to allow organizations adequate time to secure their systems.
Follow us on Google News, LinkedIn, and X to Get Instant Updates ancd Set GBH as a Preferred Source in Google.