CVE-2026-0723
Published: 22 January 2026
Summary
CVE-2026-0723 is a high-severity Unchecked Return Value (CWE-252) vulnerability in Gitlab Gitlab. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 1.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
CVE-2026-0723 is a vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE) affecting all versions from 18.6 prior to 18.6.4, 18.7 prior to 18.7.2, and 18.8 prior to 18.8.2. The issue allows an attacker with prior knowledge of a victim's credential ID to bypass two-factor authentication (2FA) by submitting forged device responses. It is associated with CWE-252 (Unchecked Return Value) and carries a CVSS v3.1 base score of 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).
An attacker can exploit this vulnerability remotely over the network without requiring user privileges or interaction, though it demands high attack complexity, likely due to the need for precise knowledge of the target's credential ID. Successful exploitation enables bypassing 2FA protections, potentially granting unauthorized access to the victim's GitLab account with high impacts on confidentiality and integrity, such as accessing sensitive repositories or project data.
GitLab has remediated the vulnerability, as detailed in their patch release notes for version 18.8.2 and related advisories. Security practitioners should upgrade affected GitLab CE/EE instances to version 18.6.4, 18.7.2, or 18.8.2 or later. Additional details are available in GitLab issue tracker entry 585333 and the corresponding HackerOne disclosure report 3476052.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4149
Vulnerability details
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an individual with existing knowledge of a victim's credential ID to bypass two-factor authentication…
more
by submitting forged device responses.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote auth bypass in public-facing GitLab web app directly enables T1190; no other techniques are directly facilitated by the described flaw.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires cryptographic verification of multi-factor authenticators so that forged device responses cannot satisfy the 2FA check.
Enforces that access decisions are made only after the complete, correctly validated authentication chain succeeds.
Mandates validation of all inputs, directly addressing the unchecked return value that allowed forged 2FA device responses.