Search
Get in Touch
News

GitLab patches major security flaw – here’s what we know

TechRadar
TechRadar
  • GitLab patched CVE-2026-0723, a flaw allowing 2FA bypass and account takeover
  • Additional DoS vulnerabilities in authentication, API endpoints, Wiki, and SSH were also fixed
  • GitLab urges immediate upgrades; ~6,000 exposed CE instances remain potential targets

GitLab fixed a high-severity vulnerability in its Community Edition and Enterprise Edition (CE/EE) versions allowed threat actors to bypass two-factor authentication and potentially take over people’s accounts.

“GitLab has remediated an issue that could have allowed an individual with existing knowledge of a victim’s credential ID to bypass two-factor authentication by submitting forged device responses,” the company said in a security advisory.

As it explained, the vulnerability was due to unchecked return value in GitLab’s authentication services. As a result, the attackers are able to work around 2FA for victims whose IDs they knew in advance.

Weird campaign

The bug is now tracked as CVE-2026-0723 and was given a high severity score (7.4/10).

It was fixed in versions 18.8.2, 18.7.2, 18.6.4, of CE/EE.

In the same patch, GitLab also fixed two additional bugs that allowed attackers to mount denial-of-service (DoS) attacks by sending custom-tailored requests with malformed authentication data, and abusing incorrect authorization validation in API endpoints.

These two flaws are tracked as CVE-2025-13927, and CVE_2025.13928, and affect both CE and EE versions.

GitLab also patched two DoS flaws that can be triggered by configuring malformed Wiki documents and sending repeated malformed SSH authentication requests. These two are now tracked as CVE-2025-13335 and CVE-2026- 1102.

Speaking about the latest patch, GitLab urged users to apply it without hesitation:

“These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately,” GitLab explained. “GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.”

Citing Shadowserver data, BleepingComputer says there are currently around 6,000 GitLab CE instances exposed online, suggesting that the target landscape is rather large.

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Read more @ TechRadar

Previous article
I put this high-end OLED TV side-by-side with LG and Samsung’s models, and it has two secret weapons that make it my top choice
Next article
Forget boring office chairs — these IKEA picks will bring serious style to your workspace
TechRadar
TechRadar

Latest posts

OpenAI made economic proposals — here’s what DC thinks of them

The Verge - 0
Happy ceasefire day and welcome to Regulator, a newsletter for Verge subscribers about Big Tech's rocky journey through the world of politics. If you're...

Dyson made a handheld version of its iconic fans

The Verge - 0
Nearly 17 years after Dyson first announced its Air Multiplier fans - one of its first big consumer products after vacuums - the company...

Gemini gets notebooks to help you organize projects

The Verge - 0
Google's Gemini is getting a feature called "notebooks" to help you organize things about certain topics in a single place while using the AI...

DoorDash and Wing are expanding their drone delivery partnership to Atlanta

Engadget - 0
DoorDash and Wing have announced a new partnership that will allow users in metro Atlanta to have food delivered by drone. Besides working with...

You’ll have one more chance to buy Samsung’s pricey Galaxy Z TriFold this Friday

Engadget - 0
If you missed your chance to pay Samsung $2,900 for a phone earlier this year, we have great news for you. Android Police reported...

Dyson just announced its first-ever handheld fan, with a motor that spins up to 65,000 RPM

Engadget - 0
Dyson just announced its first-ever handheld fan, the HushJet Mini Cool. As the name suggests, it uses the company's proprietary HushJet air projection system....

Gemini app rolling out ‘notebooks’ to organize chats & files, integrates with NotebookLM

9to5google - 0
The Gemini app is getting deeper NotebookLM integration after the initial source support introduced last year. Google is introducing the concept of “notebooks.” Read more...

YouTube Shorts will use AI to make avatars that look and sound like you

9to5google - 0
YouTube is now letting users create an AI avatar that looks and sounds like them for use in Shorts. This feature was teased earlier...

Meta is reentering the AI race with a new model called Muse Spark

The Verge - 0
Meta Superintelligence Labs is launching its first model since Mark Zuckerberg spent billions overhauling the company's AI efforts. Called Muse Spark, the model now...

Microsoft’s executive shake-up continues as developer division chief resigns

The Verge - 0
Microsoft is losing another veteran executive. Julia Liuson, head of Microsoft's developer division (DevDiv), is resigning from the software giant after 34 years. Liuson...

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!

The AIVAnet is a collector and classifier of app news articles and online technology news, which works automatically by collecting and collating the RSS feeds from popular sites (IOS news feed,latest tablet news, etc.).

The articles deal with mobile app reviews, especially with android reviews, and IOS. One of the central thematic axes is also the comparisons. You can find articles with tablet reviews, comparisons and mobile OS systems or mobile OS stats.

We also provide some of the most popular app news express, for android and IOS or windows phone. The online technology news that you can find in our pages are just opinions and ideology, allowing you to see how different news agencies present the same news.

AIVAnet is supported by Cloud Services Store

About Us

© AIVAnet | All rights reserved