The patches resolve issues ranging from high-severity authentication flaws to denial-of-service conditions affecting core platform functionality.
The most severe vulnerability is CVE-2026-0723, an unchecked return value issue in authentication services enabling two-factor authentication bypass.
An attacker with knowledge of a victim’s credential ID could bypass 2FA protections by submitting forged device responses, potentially gaining unauthorized access to user accounts.
This vulnerability affects versions 18.6 through 18.8 and carries a CVSS score of 7.4, indicating high risk for confidentiality and integrity breaches.
| CVE ID | Vulnerability Type | Severity | CVSS Score | Affected Versions | Impact |
|---|---|---|---|---|---|
| CVE-2026-0723 | Unchecked Return Value in Authentication | High | 7.4 | 18.6–18.8.x | 2FA bypass via forged device responses |
| CVE-2025-13927 | DoS in Jira Connect Integration | High | 7.5 | 11.9–18.8.x | Unauthenticated service disruption |
| CVE-2025-13928 | Incorrect Authorization in Releases API | High | 7.5 | 17.7–18.8.x | Unauthorized DoS via API endpoint |
| CVE-2025-13335 | Infinite Loop in Wiki Redirects | Medium | 6.5 | 17.1–18.8.x | Authenticated user DoS via malformed Wiki docs |
| CVE-2026-1102 | DoS in API Endpoint | Medium | 5.3 | 12.3–18.8.x | Unauthenticated DoS via SSH authentication |
CVE-2025-13927 and CVE-2025-13928 represent critical denial-of-service threats.
CVE-2025-13927 exploits the Jira Connect integration, allowing unauthenticated users to craft malformed authentication requests that disrupt service.
CVE-2025-13928 involves incorrect authorization validation in the Releases API, enabling unauthorized DoS conditions.
Both carry CVSS scores of 7.5 and affect extensive version ranges from 11.9 to 17.7, respectively.
CVE-2025-13335 involves an infinite loop vulnerability in Wiki redirects that authenticated users can exploit by submitting malformed Wiki documents that bypass cycle detection.
CVE-2026-1102 targets the API endpoint through repeated malformed SSH authentication requests from unauthenticated sources, with a lower CVSS of 5.3 but broader affected versions from 12.3 onward.
GitLab strongly recommends immediate upgrades for all self-managed installations. GitLab.com users are already protected, and Dedicated customers require no action.
Database migrations may cause downtime on single-node instances, though multi-node deployments can implement zero-downtime procedures. Post-deploy migrations are available for version 18.7.2.
Organizations should prioritize upgrades to address the 2FA bypass vulnerability and prevent potential account compromise. Patch notifications are available via RSS feed subscription through GitLab’s security releases channel.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Multiple GitLab Vulnerabilities Enables 2FA Bypass and DoS Attacks appeared first on Cyber Security News.
The casting search for the next actor to play James Bond is officially underway. Amazon…
I can think of few activities I'd enjoy more than playing a video game on…
The list of nominees for the 2026 Will Eisner Comic Industry Awards has been revealed.…
A newly uncovered malware framework is raising serious alarms across the cybersecurity community. Researchers have…
A widely used JavaScript inter-process communication library has been weaponized again. Socket and Stepsecurity have…
Security researchers at Calif, a Palo Alto-based cybersecurity firm, have used techniques derived from an…
This website uses cookies.