Essential safety patches addressing 5 vulnerabilities throughout variations 18.8.2, 18.7.2, and 18.6.4 for each Group Version (CE) and Enterprise Version (EE).
The patches resolve points starting from high-severity authentication flaws to denial-of-service circumstances affecting core platform performance.
Essential 2FA Bypass Vulnerability
Essentially the most extreme vulnerability is CVE-2026-0723, an unchecked return worth concern in authentication companies enabling two-factor authentication bypass.
An attacker with data of a sufferer’s credential ID might bypass 2FA protections by submitting solid machine responses, doubtlessly gaining unauthorized entry to person accounts.
This vulnerability impacts variations 18.6 by way of 18.8 and carries a CVSS rating of seven.4, indicating excessive threat for confidentiality and integrity breaches.
CVE IDVulnerability TypeSeverityCVSS ScoreAffected VersionsImpactCVE-2026-0723Unchecked Return Worth in AuthenticationHigh7.418.6–18.8.x2FA bypass by way of solid machine responsesCVE-2025-13927DoS in Jira Join IntegrationHigh7.511.9–18.8.xUnauthenticated service disruptionCVE-2025-13928Incorrect Authorization in Releases APIHigh7.517.7–18.8.xUnauthorized DoS by way of API endpointCVE-2025-13335Infinite Loop in Wiki RedirectsMedium6.517.1–18.8.xAuthenticated person DoS by way of malformed Wiki docsCVE-2026-1102DoS in API EndpointMedium5.312.3–18.8.xUnauthenticated DoS by way of SSH authentication
Authorization and DoS Vulnerabilities
CVE-2025-13927 and CVE-2025-13928 characterize vital denial-of-service threats.
CVE-2025-13927 exploits the Jira Join integration, permitting unauthenticated customers to craft malformed authentication requests that disrupt service.
CVE-2025-13928 entails incorrect authorization validation within the Releases API, enabling unauthorized DoS circumstances.
Each carry CVSS scores of seven.5 and have an effect on in depth model ranges from 11.9 to 17.7, respectively.
CVE-2025-13335 entails an infinite loop vulnerability in Wiki redirects that authenticated customers can exploit by submitting malformed Wiki paperwork that bypass cycle detection.
CVE-2026-1102 targets the API endpoint by way of repeated malformed SSH authentication requests from unauthenticated sources, with a decrease CVSS of 5.3 however broader affected variations from 12.3 onward.
GitLab strongly recommends speedy upgrades for all self-managed installations. GitLab.com customers are already protected, and Devoted clients require no motion.
Database migrations might trigger downtime on single-node situations, although multi-node deployments can implement zero-downtime procedures. Publish-deploy migrations can be found for model 18.7.2.
Organizations ought to prioritize upgrades to handle the 2FA bypass vulnerability and forestall potential account compromise. Patch notifications can be found by way of RSS feed subscription by way of GitLab’s safety releases channel.
Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to function your tales.
