top of page
Search

GitLab Issues High-Severity 2FA Bypass and DoS Flaws, Urgent Update Patches

  • Jan 21
  • 2 min read

Key Findings


  • GitLab has released urgent security updates to address several high-severity vulnerabilities, including a critical two-factor authentication (2FA) bypass flaw and multiple denial-of-service (DoS) issues.

  • The 2FA bypass vulnerability (CVE-2026-0723) could allow an attacker to bypass the authentication mechanism designed to protect accounts, potentially leading to account takeovers.

  • The DoS vulnerabilities affect various GitLab components, including the Jira Connect integration, Releases API, Wiki, and SSH requests, allowing unauthenticated or authenticated users to crash GitLab instances.

  • GitLab strongly recommends that all self-managed installations be upgraded to versions 18.8.2, 18.7.2, or 18.6.4 to address these critical vulnerabilities.


Background


GitLab is a widely-used open-source software development platform that provides a comprehensive suite of tools for version control, issue tracking, and continuous integration/continuous deployment (CI/CD). The platform is available in both Community Edition (CE) and Enterprise Edition (EE) versions.


2FA Bypass Vulnerability


The most concerning flaw in the latest GitLab update is CVE-2026-0723, an "unchecked return value" issue that could allow an attacker to bypass two-factor authentication (2FA) protection. This vulnerability affects all versions from 18.6 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2.


Denial-of-Service Vulnerabilities


The GitLab update also addresses several denial-of-service (DoS) vulnerabilities that could allow unauthenticated or authenticated users to crash GitLab instances:


  • CVE-2025-13927: An unauthenticated user could trigger a DoS by sending crafted requests with malformed authentication data to the Jira Connect integration.

  • CVE-2025-13928: Incorrect authorization validation allowed unauthenticated users to cause a DoS via the Releases API.

  • CVE-2025-13335: Authenticated users could create malformed Wiki documents that bypass cycle detection, sending the system into an infinite loop.

  • CVE-2026-1102: An unauthenticated user could cause a DoS by spamming repeated malformed SSH authentication requests.


Recommendations


GitLab strongly recommends that all self-managed GitLab installations be upgraded to versions 18.8.2, 18.7.2, or 18.6.4 immediately to address these critical vulnerabilities. Failure to patch leaves GitLab instances open to a mix of disruptive attacks and potential account takeovers.


Sources


  • https://securityonline.info/gitlab-alert-high-severity-2fa-bypass-dos-flaws-patched-in-urgent-update/

  • https://securityonline.info/nvidia-patches-high-severity-flaws-in-graphics-and-ai-tools/

  • https://thehackernews.com/2026/01/zoom-and-gitlab-release-security.html

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page