GitLab 2FA Bypass (CVE-2026-0723): What Happened and How to Protect Yourself

GitLab disclosed and patched a high-severity authentication bypass vulnerability that allows attackers to skip two-factor authentication on GitLab CE/EE instances. Tracked as CVE-2026-0723 with a CVSS score of 7.4, this flaw could let an attacker take over any account where they know the target's credential ID, even if 2FA is enabled.

This was part of a broader patch release that addressed multiple security issues, including denial-of-service vulnerabilities and authorization bypasses. With approximately 6,000 self-managed GitLab CE instances exposed to the internet (according to Shadowserver data), the attack surface is significant.

If you run a self-managed GitLab instance, stop reading and upgrade first. Come back after.

What is the vulnerability?

The root cause is an unchecked return value in GitLab's authentication services. When a user authenticates with 2FA, GitLab validates the device response (such as a TOTP code or WebAuthn assertion). The code path responsible for this validation failed to properly check the return value, meaning a forged or empty response could pass validation.

In practical terms, an attacker who:

1. Knows a victim's credential ID (which can be obtained through other means)
2. Can reach the GitLab login endpoint

...can submit a crafted authentication request that bypasses the 2FA challenge entirely, gaining full access to the account.

This is not a theoretical risk. The attack requires no user interaction and can be performed remotely against any internet-facing GitLab instance running an unpatched version.

Who is affected?

Affected versions:

• All GitLab CE/EE versions before 18.8.2
• All GitLab CE/EE versions before 18.7.2
• All GitLab CE/EE versions before 18.6.4

Not affected:

• GitLab.com (already patched by GitLab)
• GitLab Dedicated (already patched by GitLab)

If you run a self-managed GitLab instance on any version prior to the patched releases above, your instance is vulnerable.

Other vulnerabilities in the same patch cycle

The 2FA bypass was not the only issue addressed. GitLab patched several additional vulnerabilities in the same release window:

The Web IDE flaw (CVE-2025-7659) is particularly noteworthy because it allows unauthenticated attackers to steal access tokens by luring logged-in users to malicious web pages, which can then hijack sessions and grant unauthorized access to private repositories.

Remediation steps

1. Upgrade immediately

Upgrade your self-managed GitLab instance to one of the following patched versions:

• 18.8.2 (if you are on the 18.8.x branch)
• 18.7.2 (if you are on the 18.7.x branch)
• 18.6.4 (if you are on the 18.6.x branch)

For single-node deployments, expect brief downtime during the upgrade. Multi-node deployments can follow GitLab's zero-downtime upgrade procedures.

# For Omnibus installations
sudo gitlab-ctl stop
sudo apt-get update
sudo apt-get install gitlab-ee=18.8.2-ee.0
# or gitlab-ce=18.8.2-ce.0 for Community Edition
sudo gitlab-ctl reconfigure
sudo gitlab-ctl start

# For Docker installations
docker pull gitlab/gitlab-ee:18.8.2-ee.0
# Restart your container with the new image

2. Audit authentication logs

After upgrading, review your authentication logs for signs of exploitation:

# Check for unusual 2FA bypass patterns
sudo gitlab-ctl tail gitlab-rails/auth.log | grep -i "2fa\|two_factor\|bypass"

# Review recent successful logins
sudo gitlab-rails runner "User.where('last_sign_in_at > ?', 30.days.ago).order(last_sign_in_at: :desc).limit(50).each { |u| puts \"#{u.username} - #{u.last_sign_in_at} - #{u.last_sign_in_ip}\" }"

Look for:

• Logins from unexpected IP addresses
• Successful logins for accounts where 2FA should have been required
• Multiple accounts accessed from the same IP in a short timeframe

3. Review active sessions and personal access tokens

Revoke any suspicious sessions and rotate personal access tokens, especially for administrator accounts:

# List all active personal access tokens (admin)
sudo gitlab-rails runner "PersonalAccessToken.active.where('created_at > ?', 60.days.ago).each { |t| puts \"#{t.user.username} - #{t.name} - created: #{t.created_at}\" }"

Consider forcing a password reset for all users if you suspect compromise, or at minimum for all administrator accounts.

4. Enforce 2FA across your instance

If you have not already, enforce 2FA for all users at the instance level:

1. Go to Admin Area > Settings > General
2. Expand Sign-in restrictions
3. Check Require all users to set up two-factor authentication
4. Set a reasonable grace period (e.g., 48 hours)

This does not prevent the vulnerability on unpatched instances, but it is a baseline security practice that limits the blast radius of many attack types.

5. Restrict network exposure

If your GitLab instance does not need to be internet-facing, restrict access:

• Place it behind a VPN or Zero Trust access proxy (such as Cloudflare Access or Tailscale)
• Use firewall rules to limit inbound access to known IP ranges
• Disable public registration if not needed

# Example: Restrict access to specific IP ranges in Nginx
location / {
    allow 10.0.0.0/8;
    allow 192.168.0.0/16;
    deny all;
    proxy_pass http://gitlab-upstream;
}

6. Set up continuous monitoring

Security patches close known vulnerabilities, but new ones are disclosed regularly. GitLab alone has had multiple critical patches in the past year. To stay ahead:

• Subscribe to GitLab's security notices to receive patch notifications
• Monitor your GitLab version against known CVEs
• Use external security monitoring to detect exposed services, open ports, and misconfigured endpoints on your infrastructure

Why this matters beyond GitLab

This vulnerability highlights a pattern that affects every team running self-managed infrastructure: the gap between a patch being released and an organization applying it is where attackers operate.

Shadowserver reports roughly 6,000 GitLab CE instances exposed on the public internet. Many of these will remain unpatched for days or weeks after the fix is available, giving attackers a clear window of opportunity.

This is exactly the kind of issue that external attack surface monitoring catches. Tools that continuously scan your infrastructure from the outside can detect:

• Exposed GitLab instances that should be behind a VPN
• Outdated software versions running known-vulnerable releases
• Open ports and services that increase your attack surface
• Configuration drift after deployments change your security posture

The vulnerability itself is a code bug in GitLab. But the real risk is operational: teams that do not have visibility into their external exposure and do not patch quickly are the ones that get compromised.

Timeline

Key takeaways

1. Upgrade your self-managed GitLab instance immediately to version 18.8.2, 18.7.2, or 18.6.4 (or later)
2. Audit your authentication logs for signs of 2FA bypass exploitation
3. Revoke and rotate personal access tokens and active sessions for privileged accounts
4. Restrict network access to your GitLab instance if it does not need to be public
5. Monitor continuously for new vulnerabilities and exposed services across your infrastructure

Security patches are only effective if applied promptly. The time between disclosure and remediation is the window attackers exploit.