top of page

GitLab CE/EE Vulnerabilities Allow 2FA Bypass and DoS Attacks on Self-Managed Instances

January 22nd, 2026

High

Our Cyber Threat Intelligence Unit is tracking disclosures of multiple security vulnerabilities in GitLab Community Edition (CE) and Enterprise Edition (EE) that compromise authentication integrity and service availability in self-managed environments. Publicly disclosed on January 21, 2026, the issues include a high-severity two-factor authentication (2FA) bypass vulnerability and several denial-of-service (DoS) vulnerabilities that can be triggered remotely through crafted requests. The most critical issue allows attackers with knowledge of a valid credential ID to bypass enforced 2FA controls via forged device responses, undermining a core account protection mechanism. In parallel, multiple DoS vulnerabilities allow unauthenticated attackers to disrupt GitLab services by abusing API endpoints, authentication workflows, and integrations, potentially causing service instability or outages. GitLab has released patches in versions 18.6.4, 18.7.2, and 18.8.2 to address these weaknesses. Organizations operating self-managed GitLab deployments are strongly advised to apply the updates immediately to reduce the risk of unauthorized access and operational disruption. 

Technical Details

  • Affected Products:

    • GitLab Community Edition (CE)

    • GitLab Enterprise Edition (EE)

  • Affected Versions (Fixed Releases)

    • 18.6 prior to 18.6.4

    • 18.7 prior to 18.7.2

    • 18.8 prior to 18.8.2

      • Note: While fixes are provided in the above supported release trains, GitLab advisories indicate that some vulnerabilities affect earlier branches (ranging from versions 11.x through 17.x, depending on the CVE).

  • Severity: High

  • CVE IDs:

    • CVE-2026-0723: 2FA Bypass (High, CVSS ~7.4)

      • A vulnerability in GitLab’s authentication services allows an attacker with knowledge of a victim’s credential ID to bypass two-factor authentication by submitting forged device responses.

      • The issue does not require a valid user session but has higher exploitation complexity.

    • CVE-2025-13927: Denial of Service (High, CVSS ~7.5)

      • An unauthenticated DoS vulnerability in the Jira Connect integration, where crafted requests containing malformed authentication data can cause service disruption.

    • CVE-2025-13928: Denial of Service (High, CVSS ~7.5)

      • A DoS condition in the Releases API caused by incorrect authorization validation, allowing unauthenticated attackers to disrupt GitLab services.

    • CVE-2025-13335: Denial of Service (Medium, CVSS ~6.5)

      • An authenticated DoS vulnerability where specially crafted Wiki documents can bypass redirect cycle detection, resulting in infinite loops and service instability.

    • CVE-2026-1102: Denial of Service (Medium, CVSS ~5.3)

      • A DoS issue triggered by repeated malformed SSH authentication requests, leading to resource exhaustion and degraded service availability.

  • Attack Vector & Exploitation:

    • 2FA Bypass: An attacker who obtains a valid credential ID can submit forged 2FA device responses to GitLab’s authentication services, circumventing enforced multi-factor authentication checks.

    • Denial-of-Service: Remote, unauthenticated attackers can abuse exposed APIs, integrations, and authentication endpoints with malformed or crafted requests to trigger crashes, restarts, or prolonged service degradation.

      • Exception: The Wiki-based DoS (CVE-2025-13335) requires an authenticated user.

Image by ThisisEngineering

Impact

  • Self-managed GitLab deployments may experience service outages or instability, disrupting source control, CI/CD pipelines, and development workflows.

  • The 2FA bypass vulnerability weakens a primary account security control, increasing the risk of unauthorized access and potential privilege escalation.

  • Prolonged service disruption may delay releases, impair operational efficiency, and expand the window for secondary attacks or abuse.

Detection Method

  • Monitor GitLab authentication logs for anomalous login patterns, particularly scenarios where access is granted without corresponding 2FA validation.

  • Track elevated error rates, crashes, or restarts related to Releases API, Jira Connect, and SSH authentication services.

  • Alert on repeated malformed or abnormal request patterns correlated with GitLab service degradation.

  • Correlate service instability events with inbound network traffic and API activity within SIEM and log-management platforms.

  • No public Sigma or YARA rules are currently available; detection relies on behavioral analysis and log correlation.

Indicators of Compromise

There are no Indicators of Compromise (IOCs) for this Advisory. 

mix of red, purple, orange, blue bubble shape waves horizontal for cybersecurity and netwo

Recommendations

  • Apply GitLab security updates immediately, upgrading to versions 18.6.4, 18.7.2, or 18.8.2 as appropriate.

  • Implement rate limiting and access controls on public-facing GitLab endpoints, particularly authentication services and APIs.

  • Closely monitor authentication activity for signs of 2FA bypass attempts or abnormal credential usage.

  • Restrict exposure of administrative interfaces and critical services through network segmentation and firewall controls.

  • Review and harden authentication configurations, ensuring multi-factor authentication is enforced, and recent patches are consistently applied.

Conclusion

The newly disclosed vulnerabilities affecting GitLab CE and EE pose a significant security and operational risk to self-managed deployments. The combination of a high-severity 2FA bypass and multiple unauthenticated DoS vectors exposes weaknesses in authentication validation and request-handling logic that can be abused to undermine both account security and platform availability. Given the public disclosure and availability of patches, we urge organizations to treat this exposure as an immediate remediation priority. Prompt upgrades to the fixed releases, combined with enhanced monitoring and access controls, are essential to reducing the attack surface and maintaining the integrity and availability of GitLab-hosted development environments.

bottom of page