GitLab released urgent security patches on Wednesday, January 21, to fix five significant vulnerabilities, including a critical two-factor authentication (2FA) bypass and multiple denial-of-service (DoS) flaws. These patches address serious security risks across both Community Edition (CE) and Enterprise Edition (EE) versions of its widely used software development platform. The company is strongly urging immediate upgrades for thousands of self-managed installations to protect against potential account takeovers and system shutdowns. Approximately 6,000 GitLab CE instances are publicly exposed online, making them potential targets for exploitation if not updated promptly.[techradar+3]
Critical Authentication Bypass Threatens Accounts
The most severe vulnerability, tracked as CVE-2026-0723, is a high-severity flaw allowing attackers to bypass two-factor authentication and potentially take over user accounts. This issue stems from an unchecked return value in GitLab's authentication services. An attacker with prior knowledge of a victim's credential ID could exploit this weakness by submitting forged device responses, effectively circumventing the 2FA protection. The vulnerability carries a high severity score of 7.4 out of 10.[techradar+2]
Experts highlight the serious implications of such an authentication bypass. David Shipley, head of Canadian security awareness training firm Beauceron Security, explained that if critical code resides in a developer's compromised account, a threat actor could access it. This access could enable the attacker to insert malware, potentially spreading it through a software supply chain attack. Shipley also warned that if the code contains cloud secrets, attackers might gain access to major cloud platforms like Azure, Amazon Web Services, or Google Cloud Platform. This vulnerability underscores the need for robust authentication mechanisms and prompt patching to prevent widespread damage.[csoonline]
Multiple Denial-of-Service Flaws Discovered
In addition to the 2FA bypass, GitLab addressed several denial-of-service (DoS) vulnerabilities. Two of these, CVE-2025-13927 and CVE-2025-13928, are rated as high-severity issues. CVE-2025-13927 allows completely unauthenticated attackers to crash GitLab instances. They can achieve this by sending specially crafted requests that contain malformed authentication data. This means no login is required for an attacker to potentially halt entire development operations.[techrepublic+2]
The second high-severity DoS flaw, CVE-2025-13928, enables unauthenticated users to cause a denial-of-service condition by exploiting incorrect authorization validation in API endpoints. Both CVE-2025-13927 and CVE-2025-13928 have a CVSS severity score of 7.5. These types of attacks can disrupt business continuity by making critical development tools unavailable, leading to significant operational setbacks for organizations relying on GitLab for their software development lifecycle.[techrepublic+3]
Further DoS Risks and Patch Details
GitLab also patched two medium-severity DoS vulnerabilities. CVE-2025-13335 addresses an infinite loop issue in Wiki redirects. An authenticated user could trigger a denial-of-service condition by configuring malformed Wiki documents that bypass cycle detection. This flaw carries a CVSS score of 6.5. The final patched vulnerability, CVE-2026-1102, is another DoS issue that can be triggered by sending repeated malformed SSH authentication requests. These vulnerabilities affect both Community and Enterprise editions, impacting a broad user base.[techradar+3]
The emergency patches were released in GitLab versions 18.8.2, 18.7.2, and 18.6.4. GitLab strongly recommends that all self-managed installations upgrade to one of these versions immediately to apply the crucial security fixes. The company stated, "These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately."[techradar+3]
Urgent Upgrades Advised
Organizations using self-managed GitLab installations must prioritize these updates. GitLab.com and GitLab Dedicated customers do not need to take any action, as these hosted platforms are already running the patched versions. The urgency of these upgrades is underscored by data from security watchdog Shadowserver, which tracks nearly 6,000 GitLab CE instances publicly exposed online. Furthermore, Shodan, a search engine for internet-connected devices, has identified over 45,000 devices with a GitLab fingerprint, suggesting a very large potential target landscape for attackers.[techradar+3]
Unpatched systems remain vulnerable to these critical flaws, which could lead to unauthorized access, data compromise, or severe service disruptions. Prompt application of the patches is crucial for maintaining the security and integrity of development environments. The company's swift action aims to protect its global user base from these significant cybersecurity threats.
