CVE-2026-2745
Published: 25 March 2026
Summary
CVE-2026-2745 is a medium-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Gitlab Gitlab. Its CVSS base score is 6.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-2 (Identification and Authentication (Organizational Users)) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires input validation at system interfaces, addressing the inconsistent input validation flaw in GitLab's WebAuthn authentication process that enables 2FA bypass.
Ensures unique identification and authentication of organizational users, preventing unauthorized access via WebAuthn 2FA bypass using alternate paths.
Manages authenticators including WebAuthn mechanisms to protect against misuse and ensure proper validation during the authentication process.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE describes a remote auth bypass in public-facing GitLab WebAuthn 2FA (CWE-288), directly enabling T1190 exploitation of the web app and achieving the effect of T1556.006 MFA bypass for unauthorized account access.
NVD Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 7.11 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an unauthenticated user to bypass WebAuthn two-factor authentication and gain unauthorized access to user…
more
accounts due to inconsistent input validation in the authentication process.
Deeper analysisAI
CVE-2026-2745 is a vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE) stemming from inconsistent input validation in the WebAuthn two-factor authentication process. This flaw allows bypassing of WebAuthn 2FA, potentially enabling unauthorized access to user accounts. It affects all versions from 7.11 prior to 18.8.7, 18.9 prior to 18.9.3, and 18.10 prior to 18.10.1. The issue carries a CVSS v3.1 base score of 6.8 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N) and maps to CWE-288 (Authentication Bypass Using an Alternate Path or Channel).
An unauthenticated user could exploit this vulnerability over the network to circumvent WebAuthn 2FA protections during authentication, achieving unauthorized access to affected user accounts. The high attack complexity (AC:H) and low privilege requirement (PR:L) per the CVSS vector indicate that exploitation demands specific conditions but could yield high confidentiality and integrity impacts without disrupting availability.
GitLab has remediated the issue with patches released in versions 18.8.7, 18.9.3, and 18.10.1, as detailed in the patch release notes for GitLab 18.10.1. Additional technical details are available in GitLab's internal work item 590810 and the originating HackerOne report 3557844, which security practitioners should review for implementation guidance and verification steps.
Details
- CWE(s)