GitLab Patches High-Severity 2FA Bypass and DoS Vulnerabilities in CE/EE
GitLab released security updates for self-managed GitLab Community Edition (CE) and Enterprise Edition (EE) to fix a high-severity two-factor authentication (2FA) bypass and multiple denial-of-service (DoS) flaws. The most significant issue, CVE-2026-0723 (CVSS 7.4), is an unchecked return value weakness in authentication services that could allow an attacker with knowledge of a victim’s credential/account ID to bypass 2FA by submitting forged device responses.
GitLab also patched DoS vulnerabilities affecting unauthenticated and authenticated scenarios, including crafted malformed authentication data against the Jira Connect integration (CVE-2025-13927), incorrect authorization validation in API endpoints such as the Releases API (CVE-2025-13928), malformed Wiki documents that bypass cycle detection (CVE-2025-13335), and repeated malformed SSH authentication requests (CVE-2026-1102). Fixed releases are 18.8.2, 18.7.2, and 18.6.4; GitLab advised administrators to upgrade immediately, noting GitLab.com is already patched, while third-party tracking indicated thousands of exposed GitLab CE instances remain online and potentially at risk if unpatched.
Timeline
Jan 21, 2026
GitLab urges self-managed admins to upgrade immediately
In its advisory, GitLab warned self-managed customers to apply the new releases quickly because unpatched instances could face service disruption or account compromise. GitLab also stated that GitLab.com was already running patched code and that GitLab Dedicated customers did not need to take action.
Jan 21, 2026
GitLab releases patches for 2FA bypass and DoS vulnerabilities
GitLab issued security updates 18.8.2, 18.7.2, and 18.6.4 for self-managed Community Edition and Enterprise Edition instances to fix multiple vulnerabilities. The patched issues include CVE-2026-0723, a high-severity two-factor authentication bypass flaw, along with four denial-of-service vulnerabilities affecting Jira Connect, the Releases API, Wiki redirects, and SSH authentication handling.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
Related Stories
GitLab Patches XSS and API Denial-of-Service Vulnerabilities in CE/EE
GitLab released security updates for **GitLab Community Edition (CE)** and **Enterprise Edition (EE)**, shipping patched versions **18.9.2**, **18.8.6**, and **18.7.6** to address multiple vulnerabilities affecting self-managed deployments. The Canadian Centre for Cyber Security issued advisory **AV26-222** urging organizations to review GitLab’s upstream advisory and apply the updates for any instances running versions prior to those releases. The update fixes **15 security issues**, including a high-severity **XSS** vulnerability (**CVE-2026-1090**, CVSS 8.7) in Markdown placeholder processing when the relevant feature flag is enabled, which could allow an authenticated attacker to inject malicious JavaScript into a victim’s browser. GitLab also addressed several **denial-of-service** conditions, including issues impacting the **GraphQL API** (resource exhaustion via recursion), repository archive endpoints, and JSON payload validation in the protected branches API; additional fixes include webhook-related DoS risks (e.g., **CVE-2025-13690**, **CVE-2025-12576**) and a **CRLF sequence** handling issue (**CVE-2026-3848**).
1 months ago
GitLab Security Update Fixes Web IDE Token Theft and DoS Vulnerabilities
GitLab released security updates for *Community Edition (CE)* and *Enterprise Edition (EE)*, shipping patched versions **18.8.4**, **18.7.4**, and **18.6.6** for self-managed deployments (with GitLab.com already remediated). The most severe issue, **CVE-2025-7659** (CVSS **8.0**), was attributed to *incomplete validation* in the **Web IDE** that could allow an **unauthenticated** attacker to steal access tokens and use them to access **private repositories**. The same release also addressed multiple high-severity availability and client-side issues, including **CVE-2025-8099** (CVSS **7.5**) enabling **DoS** via repeated/complex **GraphQL** queries and **CVE-2026-0958** (CVSS **7.5**) enabling resource exhaustion by bypassing **JSON validation middleware** limits. Additional fixes included CPU-exhaustion vectors involving specially crafted **Markdown** processing (e.g., **CVE-2026-1456** and **CVE-2026-1458**) and an **XSS** issue in code flow functionality (**CVE-2025-14560**, CVSS **7.3**) that could enable malicious script execution in a victim’s browser session.
1 months ago
GitLab Fixes DoS, Code Injection, and Access Control Flaws in Self-Managed Instances
GitLab released security updates for Community Edition and Enterprise Edition in versions **18.10.3**, **18.9.5**, and **18.8.9**, patching multiple vulnerabilities that affect self-managed deployments and urging administrators to upgrade immediately. The fixes address high-severity issues including a websocket access control flaw, denial-of-service conditions, and unintended server-side command execution tied to vulnerabilities such as `CVE-2026-5173`, `CVE-2026-1092`, and `CVE-2025-12664`. The release also resolves medium- and low-severity weaknesses involving code injection, cross-site scripting, GraphQL-related denial of service, CSV import and export handling, authorization bypasses, and information disclosure affecting private projects, protected environments, and custom roles. GitLab said some affected code paths date back to versions as old as 11.3 and 12.10, while **GitLab.com** and **GitLab Dedicated** are already protected; the company added that the patches require no new migrations and can be applied to multi-node deployments without downtime, although Omnibus packages still restart services during updates.
1 weeks ago