CVE-2026-0723
📋 TL;DR
This vulnerability allows an attacker with knowledge of a victim's credential ID to bypass two-factor authentication in GitLab by submitting forged device responses. It affects all GitLab CE/EE installations running vulnerable versions. Users with 2FA enabled are at risk of account takeover.
💻 Affected Systems
- GitLab Community Edition
- GitLab Enterprise Edition
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover of any user with 2FA enabled, leading to unauthorized access to repositories, pipelines, secrets, and potential lateral movement within the GitLab instance.
Likely Case
Targeted attacks against specific users where attackers have obtained credential IDs through other means, resulting in unauthorized access to source code and CI/CD pipelines.
If Mitigated
Limited impact if proper network segmentation, monitoring, and credential protection are in place, though authentication bypass remains possible.
🎯 Exploit Status
Requires knowledge of victim's credential ID, which could be obtained through information disclosure vulnerabilities, logs, or social engineering.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 18.6.4, 18.7.2, or 18.8.2
Vendor Advisory: https://about.gitlab.com/releases/2026/01/21/patch-release-gitlab-18-8-2-released/
Restart Required: Yes
Instructions:
1. Backup your GitLab instance. 2. Update to GitLab 18.6.4, 18.7.2, or 18.8.2 using your deployment method. 3. For Omnibus: 'sudo apt-get update && sudo apt-get install gitlab-ce=18.8.2-ce.0'. 4. Restart GitLab services.
🔧 Temporary Workarounds
Temporarily disable 2FA
linuxDisable two-factor authentication globally to prevent exploitation while patching.
gitlab-rails runner "ApplicationSetting.first.update!(require_two_factor_authentication: false)"
🧯 If You Can't Patch
- Implement strict network access controls to limit GitLab access to trusted IPs only
- Enable enhanced logging and monitoring for authentication events and credential ID exposure
🔍 How to Verify
Check if Vulnerable:
Check GitLab version: 'sudo gitlab-rake gitlab:env:info | grep Version'. If version is 18.6.0-18.6.3, 18.7.0-18.7.1, or 18.8.0-18.8.1, you are vulnerable.Check Version:
sudo gitlab-rake gitlab:env:info | grep VersionVerify Fix Applied:
Verify version is 18.6.4, 18.7.2, or 18.8.2: 'sudo gitlab-rake gitlab:env:info | grep Version'. Test 2FA login to confirm proper authentication flow.📡 Detection & Monitoring
Log Indicators:
- Multiple failed 2FA attempts followed by successful authentication with same credential ID
- Authentication logs showing device response validation failures
Network Indicators:
- Unusual authentication patterns from unexpected IP addresses
- Rapid succession of 2FA challenge/response requests
SIEM Query:
source="gitlab.log" AND ("2fa" OR "two_factor") AND ("bypass" OR "failed" OR "invalid_response")