Cybersecurity

Cyber: Gitlab Warns Of High-severity 2fa Bypass, Denial-of-service Flaws

2026-01-21 0 views admin
Cyber: Gitlab Warns Of High-severity 2fa Bypass, Denial-of-service Flaws

GitLab has patched a high-severity two-factor authentication bypass impacting community and enterprise editions of its software development platform.

Tracked as CVE-2026-0723, this vulnerability stems from an unchecked return value weakness in GitLab's authentication services, allowing attackers who know the target's account ID to circumvent two-factor authentication.

"GitLab has remediated an issue that could have allowed an individual with existing knowledge of a victim's credential ID to bypass two-factor authentication by submitting forged device responses," the company explained.

GitLab also addressed two high-severity flaws affecting GitLab CE/EE that could enable unauthenticated threat actors to trigger denial-of-service (DoS) conditions by sending crafted requests with malformed authentication data (CVE-2025-13927) and exploiting incorrect authorization validation in API endpoints (CVE-2025-13928).

Additionally, it patched two medium-severity DoS vulnerabilities that can be exploited by configuring malformed Wiki documents that bypass cycle detection (CVE-2025-13335) and sending repeated malformed SSH authentication requests (CVE-2026-1102).

To address these security flaws, the company has released versions 18.8.2, 18.7.2, and 18.6.4 for GitLab Community Edition (CE) and Enterprise Edition (EE), and has advised admins to upgrade to the latest version as soon as possible.

"These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately," GitLab added. "GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action."

Internet security watchdog Shadowserver is currently tracking nearly 6,000 GitLab CE instances exposed online, while Shodan discovered over 45,000 devices with a GitLab fingerprint.

In June 2025, GitLab also patched high-severity account takeover and missing authentication security issues, urging customers to upgrade their installations immediately.

GitLab says its DevSecOps platform has over 30 million registered users and is used by over 50% of Fortune 100 companies, including Nvidia, Airbus, T-Mobile, Lockheed Martin, Goldman Sachs, and UBS.

Source: BleepingComputer

🏷️ Tags

securityvulnerabilitycveattackthreat

More from Cybersecurity

Cyber: Chainlit AI Framework Bugs Let Hackers Breach Cloud Environments

Cyber: Chainlit AI Framework Bugs Let Hackers Breach Cloud Environments

2026-01-21 0
Cyber: Cisco Fixes Unified Communications RCE Zero Day Exploited In Attacks

Cyber: Cisco Fixes Unified Communications RCE Zero Day Exploited In Attacks

2026-01-21 0
Cyber: New Android Malware Uses AI To Click On Hidden Browser Ads 2026

Cyber: New Android Malware Uses AI To Click On Hidden Browser Ads 2026

2026-01-21 0
Cyber: 'contagious Interview' Attack Now Delivers Backdoor Via Vs Code

Cyber: 'contagious Interview' Attack Now Delivers Backdoor Via Vs Code

2026-01-21 0

Trending

1

Tech: Go-legacy-winxp: Compile Golang 1.24 code for Windows XP

2026-01-15 • 4457 views
2

Tech: Data is the only moat

2026-01-15 • 4133 views
3

Tech: Pocket TTS: A high quality TTS that gives your CPU a voice

2026-01-15 • 3239 views
4

Tech: AWS European Sovereign Cloud

2026-01-15 • 2741 views
5

Tech: JuiceFS is a distributed POSIX file system built on top of Redis and S3

2026-01-15 • 2719 views