Contact
Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Cybersecurity is about sharing. Recognize the risk,
combat it, share your experiences, and encourage others
to do better than you.
UtiliaCS 320x100
970x120 Olympous
GitLab Security Update Fixes Critical Vulnerabilities CVE-2026-0723

GitLab Security Update Fixes Critical Vulnerabilities CVE-2026-0723

21 January 2026 18:32

An urgent security update has been released by GitLab for the Community (CE) and Enterprise (EE) editions to address several high-severity vulnerabilities. These vulnerabilities expose installations to potential denial-of-service (DoS) attacks and authentication bypass attempts. Administrators are strongly advised to proceed with the update immediately, as the affected versions are 18.8.2, 18.7.2, and 18.6.4.

The update in question addresses five specific CVEs, including API-level exploits and a cunning method to bypass two-factor authentication (2FA). “GitLab has fixed an issue that could have allowed an attacker with a victim’s credentials to bypass two-factor authentication by sending spoofed device responses,” the advisory explains .

One of the most alarming vulnerabilities in the batch is CVE-2026-0723, an “unchecked return value” issue that compromises user security. This flaw, with a CVSS score of 7.4, is extremely dangerous as it compromises the mechanism for protecting accounts from compromised passwords . Affected versions include all versions from 18.6 to 18.6.4, 18.7 to 18.7.2, and 18.8 to 18.8.2.

The update also fixes several other bugs that could allow attackers to crash GitLab instances:

  • Jira Connect (CVE-2025-13927): An unauthenticated user could trigger a denial of service by “sending forged requests with invalid authentication data” to the Jira Connect integration.
  • API Releases (CVE-2025-13928): Improper authorization validation allowed unauthenticated users to cause a denial of service via the Releases API.
  • Wiki Loop (CVE-2025-13335): Authenticated users may create “malformed Wiki documents that bypass loop detection,” causing the system to enter an infinite loop.
  • SSH Requests (CVE-2026-1102): An unauthenticated user could cause a denial of service by spamming “repeated and malformed SSH authentication requests.”

GitLab’s message is clear: “We strongly recommend that you immediately upgrade all self-managed GitLab installations to one of these releases.”

For administrators, the target versions are 18.8.2, 18.7.2, and 18.6.4. Failure to apply patches exposes instances to a variety of malicious attacks and potential account takeovers.

Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.

Cropped RHC 3d Transp2 1766828557 300x300
The editorial staff of Red Hot Cyber is composed of IT and cybersecurity professionals, supported by a network of qualified sources who also operate confidentially. The team works daily to analyze, verify, and publish news, insights, and reports on cybersecurity, technology, and digital threats, with a particular focus on the accuracy of information and the protection of sources. The information published is derived from direct research, field experience, and exclusive contributions from national and international operational contexts.