Do Son 
GitLab has released an urgent security update for its Community (CE) and Enterprise (EE) editions, patching a series of high-severity vulnerabilities that expose installations to Denial of Service (DoS) attacks and authentication bypasses. The release covers versions 18.8.2, 18.7.2, and 18.6.4, and administrators are strongly urged to upgrade immediately.
The update addresses five distinct CVEs, ranging from API exploits to a clever two-factor authentication (2FA) bypass.
Perhaps the most concerning flaw in the batch is CVE-2026-0723, an “unchecked return value” issue that hits at the heart of user security.
“GitLab has remediated an issue that could have allowed an individual with existing knowledge of a victim’s credential ID to bypass two-factor authentication by submitting forged device responses,” the advisory explains.
Rated with a CVSS score of 7.4, this vulnerability is particularly dangerous because it undermines the very mechanism designed to protect accounts from compromised passwords. It affects all versions from 18.6 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2.
The update also squashes multiple bugs that could allow attackers to crash GitLab instances:
- Jira Connect (CVE-2025-13927): An unauthenticated user could trigger a DoS by “sending crafted requests with malformed authentication data” to the Jira Connect integration.
- Releases API (CVE-2025-13928): Incorrect authorization validation allowed unauthenticated users to cause a DoS via the Releases API.
- Wiki Loops (CVE-2025-13335): Authenticated users could create “malformed Wiki documents that bypass cycle detection,” sending the system into an infinite loop.
- SSH Requests (CVE-2026-1102): An unauthenticated user could cause a DoS by spamming “repeated malformed SSH authentication requests”.
GitLab’s message is clear: “We strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately”.
For administrators, the target versions are 18.8.2, 18.7.2, and 18.6.4. Failing to patch leaves instances open to a mix of disruptive attacks and potential account takeovers.
Related Posts:
- 184 Million Leaked Credentials Found in Open Database
- GitLab Releases Security Updates: XSS and Authorization Bypass Flaws Patched
- GitLab Patches High-Severity Flaws: Update Now to Prevent XSS and Account Takeover
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
