Key Findings

• GitLab has released urgent security updates to address several high-severity vulnerabilities, including a critical two-factor authentication (2FA) bypass flaw and multiple denial-of-service (DoS) issues.

• The 2FA bypass vulnerability (CVE-2026-0723) could allow an attacker to bypass the authentication mechanism designed to protect accounts, potentially leading to account takeovers.

• The DoS vulnerabilities affect various GitLab components, including the Jira Connect integration, Releases API, Wiki, and SSH requests, allowing unauthenticated or authenticated users to crash GitLab instances.

• GitLab strongly recommends that all self-managed installations be upgraded to versions 18.8.2, 18.7.2, or 18.6.4 to address these critical vulnerabilities.

Background

GitLab is a widely-used open-source software development platform that provides a comprehensive suite of tools for version control, issue tracking, and continuous integration/continuous deployment (CI/CD). The platform is available in both Community Edition (CE) and Enterprise Edition (EE) versions.

2FA Bypass Vulnerability

The most concerning flaw in the latest GitLab update is CVE-2026-0723, an "unchecked return value" issue that could allow an attacker to bypass two-factor authentication (2FA) protection. This vulnerability affects all versions from 18.6 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2.

Denial-of-Service Vulnerabilities

The GitLab update also addresses several denial-of-service (DoS) vulnerabilities that could allow unauthenticated or authenticated users to crash GitLab instances:

• CVE-2025-13927: An unauthenticated user could trigger a DoS by sending crafted requests with malformed authentication data to the Jira Connect integration.

• CVE-2025-13928: Incorrect authorization validation allowed unauthenticated users to cause a DoS via the Releases API.

• CVE-2025-13335: Authenticated users could create malformed Wiki documents that bypass cycle detection, sending the system into an infinite loop.

• CVE-2026-1102: An unauthenticated user could cause a DoS by spamming repeated malformed SSH authentication requests.

Recommendations

GitLab strongly recommends that all self-managed GitLab installations be upgraded to versions 18.8.2, 18.7.2, or 18.6.4 immediately to address these critical vulnerabilities. Failure to patch leaves GitLab instances open to a mix of disruptive attacks and potential account takeovers.

Sources

• https://securityonline.info/gitlab-alert-high-severity-2fa-bypass-dos-flaws-patched-in-urgent-update/

• https://securityonline.info/nvidia-patches-high-severity-flaws-in-graphics-and-ai-tools/

• https://thehackernews.com/2026/01/zoom-and-gitlab-release-security.html