GitLab Patch Release 18.8.2, 18.7.2, 18.6.4 Fixes High-Severity DoS and 2FA Bypass Flaws
GitLab released versions 18.8.2, 18.7.2, and 18.6.4 on January 21, 2026, patching multiple vulnerabilities including an unauthenticated denial-of-service in Jira Connect and a 2FA bypass flaw.
GitLab released versions 18.8.2, 18.7.2, and 18.6.4 for Community Edition and Enterprise Edition on January 21, 2026, addressing multiple security vulnerabilities that range in severity from medium to high. The patch release covers five CVEs, including two high-severity denial-of-service issues and a 2FA bypass flaw that could allow account takeover under specific conditions. GitLab strongly recommends that all self-managed instances upgrade immediately, while GitLab.com and GitLab Dedicated customers are already protected.
The most severe vulnerability, CVE-2025-13927 (CVSS 7.5), is an unauthenticated denial-of-service issue in the Jira Connect integration. An attacker could trigger a DoS condition by sending crafted requests with malformed authentication data, affecting all GitLab versions from 11.9 up to the patched releases. The flaw was reported through GitLab's HackerOne bug bounty program by researcher a92847865. A second high-severity DoS, CVE-2025-13928 (CVSS 7.5), stems from incorrect authorization validation in the Releases API, allowing an unauthenticated attacker to cause service disruption.
A notable authentication bypass vulnerability, CVE-2026-0723 (CVSS 7.4), allows an attacker with knowledge of a victim's credential ID to bypass two-factor authentication by submitting forged device responses. This unchecked return value issue in authentication services affects GitLab versions from 18.6 onward and was reported by researcher ahacker1. The flaw is particularly concerning because it undermines a core security control—2FA—and could lead to full account compromise.
Two additional medium-severity DoS vulnerabilities were also patched. CVE-2025-13335 (CVSS 6.5) allows an authenticated user to create a denial-of-service condition by configuring malformed Wiki documents that bypass cycle detection, leading to an infinite loop. CVE-2026-1102 (CVSS 5.3) enables an unauthenticated attacker to cause a DoS by sending repeated malformed SSH authentication requests. The latter was discovered internally by GitLab team member Thiago Figueiró.
The patch release also includes numerous bug fixes beyond security issues. Version 18.8.2 backports fixes for merge request reviewer dropdown crashes, AI Catalog seeding rake tasks, and external agent configuration GA. Version 18.7.2 addresses vulnerabilities-related occurrence fetching logic, searchable dropdown race conditions, and container repository index repair. Version 18.6.4 includes fixes for soft wrap accessibility conflicts and Git push errors in remote flows for self-managed instances.
GitLab follows a structured patch release cadence, with scheduled releases twice monthly on the second and fourth Wednesdays, supplemented by ad-hoc critical patches for high-severity vulnerabilities. Security issue details are made public on GitLab's issue tracker 30 days after the patched release, giving administrators time to upgrade before full technical details are disclosed. This release underscores the ongoing challenge of securing complex DevOps platforms that integrate with multiple external services like Jira and handle sensitive authentication flows.