Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an individual with existing knowledge of a victim's credential ID to bypass two-factor authentication by submitting forged device responses.
Published: 2026-01-22
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Two‑factor authentication bypass using forged device responses
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from an unchecked return value that permits an attacker who knows a victim’s credential ID to forge device responses. This flaw undermines GitLab’s two‑factor authentication, allowing unauthorized authentication to the victim's account. The failure is identified as CWE‑252, exposing confidential account access and jeopardizing data integrity on all impacted installations.

Affected Systems

GitLab Community Edition and Enterprise Edition are affected. All releases from 18.6 prior to 18.6.4, 18.7 prior to 18.7.2, and 18.8 prior to 18.8.2 are vulnerable, regardless of the distribution (community or enterprise).

Risk and Exploitability

The CVSS score of 7.4 signals a high severity level, while an EPSS score of less than 1% indicates a low likelihood of exploitation. The vulnerability is not cataloged in the CISA Known Exploited Vulnerabilities list. The attack vector is remote, requiring an attacker with knowledge of a credential ID to submit forged device responses, which can then bypass two‑factor verification and grant the attacker access to the target account.

Generated by OpenCVE AI on April 18, 2026 at 03:47 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.6.4, 18.7.2, 18.8.2 or above.

OpenCVE Recommended Actions

  • Apply the vendor’s recommended upgrade to GitLab 18.6.4 or later (or 18.7.2 or 18.8.2 and newer)
  • Invalidate any potentially compromised credential IDs and re‑enroll 2FA devices for affected users
  • Monitor authentication logs for suspicious forged device response attempts and set alerts for unauthorized 2FA activity

Generated by OpenCVE AI on April 18, 2026 at 03:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 26 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Thu, 22 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 22 Jan 2026 13:45:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an individual with existing knowledge of a victim's credential ID to bypass two-factor authentication by submitting forged device responses.
Title Unchecked Return Value in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-252
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-02-26T14:44:33.144Z

Reserved: 2026-01-08T13:03:57.347Z

Link: CVE-2026-0723

cve-icon Vulnrichment

Updated: 2026-01-22T15:28:44.448Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-22T15:16:50.030

Modified: 2026-01-26T21:06:04.117

Link: CVE-2026-0723

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:00:08Z

Weaknesses