Published Corrective updates to the platform for organizing collaborative development GitLab – 18.8.2, 18.7.2, 18.6.4, which eliminated a vulnerability (CVE-2026-0723) that allows you to bypass verification for two-factor authentication. To carry out an attack, the attacker must know the victim’s credential ID. The vulnerability is caused by the lack of proper verification of the return value in authentication services.
In addition, the new versions eliminate 4 more vulnerabilities, two of which are marked dangerous. These issues lead to a denial of service when sending specially crafted requests to the component for integration with Jira Connect (CVE-2025-13927), Release Management API (CVE-2025-13928), and SSH (CVE-2026-1102), as well as a loop when creating a specially crafted Wiki document (CVE-2025-13335).
All users are advised to immediately install the update. Details of the problem have not yet been disclosed and will become publicly available 30 days after the fix is published. Vulnerabilities submitted to GitLab as part of HackerOne’s vulnerability bounty program.