Critical security patches addressing five vulnerabilities across versions 18.8.2, 18.7.2, and 18.6.4 for both Community Edition (CE) and Enterprise Edition (EE).
The patches resolve issues ranging from high-severity authentication flaws to denial-of-service conditions affecting core platform functionality.
Critical 2FA Bypass Vulnerability
The most severe vulnerability is CVE-2026-0723, an unchecked return value issue in authentication services enabling two-factor authentication bypass.
An attacker with knowledge of a victim’s credential ID could bypass 2FA protections by submitting forged device responses, potentially gaining unauthorized access to user accounts.
This vulnerability affects versions 18.6 through 18.8 and carries a CVSS score of 7.4, indicating high risk for confidentiality and integrity breaches.
| CVE ID | Vulnerability Type | Severity | CVSS Score | Affected Versions | Impact |
|---|---|---|---|---|---|
| CVE-2026-0723 | Unchecked Return Value in Authentication | High | 7.4 | 18.6–18.8.x | 2FA bypass via forged device responses |
| CVE-2025-13927 | DoS in Jira Connect Integration | High | 7.5 | 11.9–18.8.x | Unauthenticated service disruption |
| CVE-2025-13928 | Incorrect Authorization in Releases API | High | 7.5 | 17.7–18.8.x | Unauthorized DoS via API endpoint |
| CVE-2025-13335 | Infinite Loop in Wiki Redirects | Medium | 6.5 | 17.1–18.8.x | Authenticated user DoS via malformed Wiki docs |
| CVE-2026-1102 | DoS in API Endpoint | Medium | 5.3 | 12.3–18.8.x | Unauthenticated DoS via SSH authentication |
Authorization and DoS Vulnerabilities
CVE-2025-13927 and CVE-2025-13928 represent critical denial-of-service threats.
CVE-2025-13927 exploits the Jira Connect integration, allowing unauthenticated users to craft malformed authentication requests that disrupt service.
CVE-2025-13928 involves incorrect authorization validation in the Releases API, enabling unauthorized DoS conditions.
Both carry CVSS scores of 7.5 and affect extensive version ranges from 11.9 to 17.7, respectively.
CVE-2025-13335 involves an infinite loop vulnerability in Wiki redirects that authenticated users can exploit by submitting malformed Wiki documents that bypass cycle detection.
CVE-2026-1102 targets the API endpoint through repeated malformed SSH authentication requests from unauthenticated sources, with a lower CVSS of 5.3 but broader affected versions from 12.3 onward.
GitLab strongly recommends immediate upgrades for all self-managed installations. GitLab.com users are already protected, and Dedicated customers require no action.
Database migrations may cause downtime on single-node instances, though multi-node deployments can implement zero-downtime procedures. Post-deploy migrations are available for version 18.7.2.
Organizations should prioritize upgrades to address the 2FA bypass vulnerability and prevent potential account compromise. Patch notifications are available via RSS feed subscription through GitLab’s security releases channel.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
