GitLab has patched a high-severity two-factor authentication bypass impacting community and enterprise editions of its software development platform.
Tracked as CVE-2026-0723, this vulnerability stems from an unchecked return value weakness in GitLab’s authentication services, allowing attackers who know the target’s account ID to circumvent two-factor authentication.
“GitLab has remediated an issue that could have allowed an individual with existing knowledge of a victim’s credential ID to bypass two-factor authentication by submitting forged device responses,” the company explained.
GitLab also addressed two high-severity flaws affecting GitLab CE/EE that could enable unauthenticated threat actors to trigger denial-of-service (DoS) conditions by sending crafted requests with malformed authentication data (CVE-2025-13927) and exploiting incorrect authorization validation in API endpoints (CVE-2025-13928).
Additionally, it patched two medium-severity DoS vulnerabilities that can be exploited by configuring malformed Wiki documents that bypass cycle detection (CVE-2025-13335) and sending repeated malformed SSH authentication requests (CVE-2026-1102).
To address these security flaws, the company has released versions 18.8.2, 18.7.2, and 18.6.4 for GitLab Community Edition (CE) and Enterprise Edition (EE), and has advised admins to upgrade to the latest version as soon as possible.
“These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately,” GitLab added. “GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.”
Internet security watchdog Shadowserver is currently tracking nearly 6,000 GitLab CE instances exposed online, while Shodan discovered over 45,000 devices with a GitLab fingerprint.
In June 2025, GitLab also patched high-severity account takeover and missing authentication security issues, urging customers to upgrade their installations immediately.
GitLab says its DevSecOps platform has over 30 million registered users and is used by over 50% of Fortune 100 companies, including Nvidia, Airbus, T-Mobile, Lockheed Martin, Goldman Sachs, and UBS.
Whether you’re cleaning up old keys or setting guardrails for AI-generated code, this guide helps your team build securely from the start.
Get the cheat sheet and take the guesswork out of secrets management.
