Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AsyncRAT Campaign Leverages ScreenConnect to Evade Detection
July 2, 2026
AsyncRAT Campaign Exploits Cloudflare Tunnels and Python for Malware Delivery
July 2, 2026
New Microsoft 365 Phishing Uses OAuth Device Code Flow to Steal Tokens
July 2, 2026
Home/CyberSecurity News/Multiple GitLab Vulnerabilities Enables 2FA Bypass and DoS Attacks
CyberSecurity News

Multiple GitLab Vulnerabilities Enables 2FA Bypass and DoS Attacks

GitLab has issued critical security patches for its Community Edition (CE) and Enterprise Edition (EE), addressing five vulnerabilities across versions 18.8.2, 18.7.2, and 18.6.4. The patches resolve...

Emy Elsamnoudy
Emy Elsamnoudy
January 21, 2026 2 Min Read
34 0

GitLab has issued critical security patches for its Community Edition (CE) and Enterprise Edition (EE), addressing five vulnerabilities across versions 18.8.2, 18.7.2, and 18.6.4.

The patches resolve issues ranging from high-severity authentication flaws to denial-of-service conditions affecting core platform functionality.

Critical 2FA Bypass Vulnerability

The most severe vulnerability is CVE-2026-0723, an unchecked return value issue in authentication services enabling two-factor authentication bypass.

An attacker with knowledge of a victim’s credential ID could bypass 2FA protections by submitting forged device responses, potentially gaining unauthorized access to user accounts.

This vulnerability affects versions 18.6 through 18.8 and carries a CVSS score of 7.4, indicating high risk for confidentiality and integrity breaches.

CVE ID Vulnerability Type Severity CVSS Score Affected Versions Impact
CVE-2026-0723 Unchecked Return Value in Authentication High 7.4 18.6–18.8.x 2FA bypass via forged device responses
CVE-2025-13927 DoS in Jira Connect Integration High 7.5 11.9–18.8.x Unauthenticated service disruption
CVE-2025-13928 Incorrect Authorization in Releases API High 7.5 17.7–18.8.x Unauthorized DoS via API endpoint
CVE-2025-13335 Infinite Loop in Wiki Redirects Medium 6.5 17.1–18.8.x Authenticated user DoS via malformed Wiki docs
CVE-2026-1102 DoS in API Endpoint Medium 5.3 12.3–18.8.x Unauthenticated DoS via SSH authentication

Authorization and DoS Vulnerabilities

CVE-2025-13927 and CVE-2025-13928 represent critical denial-of-service threats.

CVE-2025-13927 exploits the Jira Connect integration, allowing unauthenticated users to craft malformed authentication requests that disrupt service.

CVE-2025-13928 involves incorrect authorization validation in the Releases API, enabling unauthorized DoS conditions.

Both carry CVSS scores of 7.5 and affect extensive version ranges from 11.9 to 17.7, respectively.

CVE-2025-13335 involves an infinite loop vulnerability in Wiki redirects that authenticated users can exploit by submitting malformed Wiki documents that bypass cycle detection.

CVE-2026-1102 targets the API endpoint through repeated malformed SSH authentication requests from unauthenticated sources, with a lower CVSS of 5.3 but broader affected versions from 12.3 onward.

GitLab strongly recommends immediate upgrades for all self-managed installations. GitLab.com users are already protected, and Dedicated customers require no action.

Database migrations may cause downtime on single-node instances, though multi-node deployments can implement zero-downtime procedures. Post-deploy migrations are available for version 18.7.2.

Organizations should prioritize upgrades to address the 2FA bypass vulnerability and prevent potential account compromise. Patch notifications are available via RSS feed subscription through GitLab’s security releases channel.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachCVEExploitPatchSecurityThreatVulnerability

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

ErrTraffic Fueling ClickFix by Breaking the Page Visually and Turns Attack to GlitchFix

Next Post

LastPass Warns of Fake Maintenance Message Tracking Users to Steal Master Passwords

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Citrix Bleed (CVE-2023-4966) Critical Vulnerability Actively Exploited
July 2, 2026
DHS Confirms Breach of HSIN Information Sharing Network
July 2, 2026
ChatGPT Flaw Exposes User Files, Poses System Access Risk
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us