GitLab has patched a high-severity two-factor authentication bypass impacting group and enterprise editions of its software program growth platform.
Tracked as CVE-2026-0723, this vulnerability stems from an unchecked return worth weak spot in GitLab’s authentication companies, permitting attackers who know the goal’s account ID to avoid two-factor authentication.
“GitLab has remediated a difficulty that would have allowed a person with current data of a sufferer’s credential ID to bypass two-factor authentication by submitting cast system responses,” the corporate defined.
GitLab additionally addressed two high-severity flaws affecting GitLab CE/EE that would allow unauthenticated menace actors to set off denial-of-service (DoS) situations by sending crafted requests with malformed authentication knowledge (CVE-2025-13927) and exploiting incorrect authorization validation in API endpoints (CVE-2025-13928).
Moreover, it patched two medium-severity DoS vulnerabilities that may be exploited by configuring malformed Wiki paperwork that bypass cycle detection (CVE-2025-13335) and sending repeated malformed SSH authentication requests (CVE-2026-1102).
To deal with these security flaws, the corporate has launched variations 18.8.2, 18.7.2, and 18.6.4 for GitLab Neighborhood Version (CE) and Enterprise Version (EE), and has suggested admins to improve to the newest model as quickly as attainable.
“These variations comprise vital bug and security fixes, and we strongly suggest that each one self-managed GitLab installations be upgraded to considered one of these variations instantly,” GitLab added. “GitLab.com is already working the patched model. GitLab Devoted clients don’t have to take motion.”
Web security watchdog Shadowserver is presently monitoring practically 6,000 GitLab CE cases uncovered on-line, whereas Shodan found over 45,000 gadgets with a GitLab fingerprint.
In June 2025, GitLab additionally patched high-severity account takeover and lacking authentication security points, urging clients to improve their installations instantly.
GitLab says its DevSecOps platform has over 30 million registered customers and is utilized by over 50% of Fortune 100 firms, together with Nvidia, Airbus, T-Cellular, Lockheed Martin, Goldman Sachs, and UBS.
It is price range season! Over 300 CISOs and security leaders have shared how they’re planning, spending, and prioritizing for the 12 months forward. This report compiles their insights, permitting readers to benchmark methods, determine rising developments, and examine their priorities as they head into 2026.
Learn the way prime leaders are turning funding into measurable impression.
