GitLab has released critical security updates for its Community Edition (CE) and Enterprise Edition (EE), addressing multiple high-severity vulnerabilities. The updates, versions 18.8.2, 18.7.2, and 18.6.4, are available for immediate deployment. (about.gitlab.com)
Key Vulnerabilities Addressed:
- CVE-2026-0723: An unchecked return value in GitLab's authentication services could have allowed attackers with knowledge of a victim's credential ID to bypass two-factor authentication by submitting forged device responses. This flaw, rated 7.4 on the CVSS scale, affects versions 18.6 through 18.8.x. (cvefeed.io)
- CVE-2025-13927: A denial-of-service (DoS) vulnerability in the Jira Connect integration allowed unauthenticated users to disrupt service by sending malformed authentication requests. (cybersecuritynews.com)
- CVE-2025-13928: Improper authorization validation in the Releases API permitted unauthenticated users to cause a DoS via the API endpoint. (cybersecuritynews.com)
- CVE-2025-13335: Authenticated users could create malformed Wiki documents that bypassed loop detection, leading to infinite loops and potential service disruption. (cybersecuritynews.com)
- CVE-2026-1102: Unauthenticated users could trigger a DoS by sending repeated and malformed SSH authentication requests. (cybersecuritynews.com)
Recommendations:
GitLab strongly recommends that all self-managed installations upgrade to one of the patched versions immediately to mitigate these vulnerabilities. GitLab.com is already running the updated version, and GitLab Dedicated customers do not need to take additional action. (about.gitlab.com)
For detailed information on the vulnerabilities and the corresponding fixes, please refer to GitLab's official release notes. (about.gitlab.com)
Given the severity of these vulnerabilities, prompt action is essential to maintain the security and integrity of GitLab installations.