January 21, 2026 By Sergiu Gatlan
GitLab has patched a high-severity two-factor authentication bypass impacting community and enterprise editions of its software development platform.
Tracked as CVE-2026-0723, this vulnerability stems from an unchecked return value weakness in GitLab's authentication services, allowing attackers who know the target's account ID to circumvent two-factor authentication.
"GitLab has remediated an issue that could have allowed an individual with existing knowledge of a victim's credential ID to bypass two-factor authentication by submitting forged device responses," the company explained.
GitLab also addressed two high-severity flaws affecting GitLab CE/EE that could enable unauthenticated threat actors to trigger denial-of-service (DoS) conditions by sending crafted requests with malformed authentication data (CVE-2025-13927) and exploiting incorrect authorization validation in API endpoints (CVE-2025-13928).
Additionally, it patched two medium-severity DoS vulnerabilities that can be exploited by configuring malformed Wiki documents that bypass cycle detection (CVE-2025-13335) and sending repeated malformed SSH authentication requests (CVE-2026-1102).
To address these security flaws, the company has released versions 18.8.2, 18.7.2, and 18.6.4 for GitLab Community Edition (CE) and Enterprise Edition (EE), and has advised admins to upgrade to the latest version as soon as possible.