GitLab warns of high-severity 2FA bypass, denial-of-service flaws
Recorded: Jan. 21, 2026, 3:03 p.m.
| Original | Summarized |
GitLab warns of high-severity 2FA bypass, denial-of-service flaws News Featured Credential-stealing Chrome extensions target enterprise HR platforms Microsoft releases OOB Windows updates to fix shutdown, Cloud PC bugs Jordanian pleads guilty to selling access to 50 corporate networks Ingram Micro says ransomware attack affected 42,000 people You Got Phished? Of Course! You're Human... Hackers exploit security testing apps to breach Fortune 500 firms GitLab warns of high-severity 2FA bypass, denial-of-service flaws Tesla hacked, 37 zero-days demoed at Pwn2Own Automotive 2026 Tutorials Latest How to access the Dark Web using the Tor Browser How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11 How to use the Windows Registry Editor How to backup and restore the Windows Registry How to start Windows in Safe Mode How to remove a Trojan, Virus, Worm, or other Malware How to show hidden files in Windows 7 How to see hidden files in Windows Webinars Latest Qualys BrowserCheck STOPDecrypter AuroraDecrypter FilesLockerDecrypter AdwCleaner ComboFix RKill Junkware Removal Tool Deals Categories eLearning IT Certification Courses Gear + Gadgets Security VPNs Popular Best VPNs How to change IP address Access the dark web safely Best VPN for YouTube Forums Virus Removal Guides HomeNewsSecurityGitLab warns of high-severity 2FA bypass, denial-of-service flaws GitLab warns of high-severity 2FA bypass, denial-of-service flaws By Sergiu Gatlan January 21, 2026 GitLab has patched a high-severity two-factor authentication bypass impacting community and enterprise editions of its software development platform. GitLab also addressed two high-severity flaws affecting GitLab CE/EE that could enable unauthenticated threat actors to trigger denial-of-service (DoS) conditions by sending crafted requests with malformed authentication data (CVE-2025-13927) and exploiting incorrect authorization validation in API endpoints (CVE-2025-13928). 7 Security Best Practices for MCP Related Articles: 2FA Sergiu Gatlan Previous Article Post a Comment Community Rules You need to login in order to post a comment Not a member yet? Register Now You may also like: Popular Stories Microsoft releases OOB Windows updates to fix shutdown, Cloud PC bugs Ingram Micro says ransomware attack affected 42,000 people New PDFSider Windows malware deployed on Fortune 100 firm's network Sponsor Posts Discover how phishing kits are sold and deployed. Download the full research report. Identity Governance & Threat Detection in one: Get a guided tour of our platform Discover how to scale IT infrastructure reliably without adding toil or burnout. Upcoming Webinar Follow us: Main Sections News Community Forums Useful Resources Welcome Guide Company About BleepingComputer Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure Copyright @ 2003 - 2026 Bleeping Computer® LLC - All Rights Reserved Login Username Password Remember Me Sign in anonymously Sign in with Twitter Not a member yet? Register Now Help us understand the problem. What is going on with this comment? Spam Abusive or Harmful Inappropriate content Strong language Other Read our posting guidelinese to learn what content is prohibited. Submitting... |
GitLab has addressed a high-severity vulnerability, CVE-2026-0723, impacting both Community and Enterprise editions of its software development platform. The flaw stems from an unchecked return value weakness in GitLab’s authentication services, allowing attackers possessing the target’s account ID to circumvent two-factor authentication. Specifically, individuals with existing knowledge of a victim’s credential ID could submit forged device responses to bypass the two-factor authentication process. In addition to this primary vulnerability, GitLab identified and remediated two other high-severity flaws affecting GitLab CE/EE. These encompassed a denial-of-service (DoS) condition facilitated by sending crafted requests containing malformed authentication data (CVE-2025-13927) and an exploitation of incorrect authorization validation within API endpoints (CVE-2025-13928). Furthermore, the company addressed two medium-severity DoS vulnerabilities. One involved exploiting malformed Wiki documents to bypass cycle detection (CVE-2025-13335), while the other utilized repeated malformed SSH authentication requests (CVE-2026-1102). To mitigate these security risks, GitLab released versions 18.8.2, 18.7.2, and 18.6.4 for GitLab Community Edition (CE) and Enterprise Edition (EE). The company strongly recommended that all self-managed GitLab installations be upgraded to one of these versions immediately, noting that GitLab.com was already running the patched version. GitLab Dedicated customers were not required to take any action. The discovery of these vulnerabilities was accompanied by observations from internet security watchdog Shadowserver, which tracked nearly 6,000 GitLab CE instances exposed online, and Shodan, which identified over 45,000 devices bearing a GitLab fingerprint. This exposure highlighted a significant potential attack surface. Prior to this incident, in June 2025, GitLab also patched high-severity account takeover and missing authentication security issues, issuing an urgent upgrade recommendation. GitLab’s DevSecOps platform currently boasts over 30 million registered users and is utilized by over 50% of Fortune 100 companies, including Nvidia, Airbus, T-Mobile, Lockheed Martin, Goldman Sachs, and UBS. The company’s platform underscores a significant portion of the enterprise software development landscape. The vulnerabilities exposed a risk to this expansive network. |