Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
5DescriptionCVE.org
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 7.11 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an unauthenticated user to bypass WebAuthn two-factor authentication and gain unauthorized access to user accounts due to inconsistent input validation in the authentication process.
AnalysisAI
GitLab CE/EE versions 7.11 through 18.10 contain an authentication bypass vulnerability in the WebAuthn two-factor authentication implementation due to inconsistent input validation, allowing unauthenticated attackers to gain unauthorized access to user accounts. The vulnerability affects a wide version range spanning multiple releases (7.11 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1). A proof-of-concept exploit is publicly available, and while the CVSS score of 6.8 indicates moderate severity, the authentication bypass nature and active exploit availability represent a significant real-world threat to GitLab deployments.
Technical ContextAI
The vulnerability resides in GitLab's WebAuthn authentication handler, which implements the FIDO2/WebAuthn protocol for passwordless two-factor authentication. The root cause is classified under CWE-288 (Authentication Bypass Using an Alternate Path or Channel), specifically stemming from inconsistent input validation in the authentication process. WebAuthn is a security-critical protocol that verifies user identity through cryptographic challenges and responses; when input validation is inconsistent, an attacker can craft malformed authentication requests that bypass the intended security checks. The affected CPE (cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*) indicates this impacts all GitLab product variants across the affected version range, affecting both Community Edition (CE) and Enterprise Edition (EE) deployments.
RemediationAI
Immediately upgrade GitLab to one of the patched versions: 18.8.7 or later, 18.9.3 or later, or 18.10.1 or later, depending on your current deployment. Consult the official GitLab patch release advisory at https://about.gitlab.com/releases/2026/03/25/patch-release-gitlab-18-10-1-released/ for specific upgrade instructions and release notes. As an interim mitigation pending patching, disable WebAuthn two-factor authentication and enforce alternative MFA methods (TOTP, U2F) or require additional network-level access controls to limit exposure. Additionally, audit WebAuthn authentication logs for any suspicious or failed authentication attempts that may indicate exploitation attempts, and reset credentials for any accounts where WebAuthn bypass is suspected. Consider implementing rate limiting on authentication endpoints and restrict GitLab instance access to trusted IP ranges where feasible.
An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.
The SSH key upload feature (lib/gitlab_keys.rb) in gitlab-shell before 1.7.3, as used in GitLab 5.0 before 5.4.1 and 6.x
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. Rated critical severity (CVSS 10
A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t
A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. Rated critical severity (CVSS 9.8)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions star
When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab af
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7.9 before 13.8.7, all versions sta
An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. Rated critical severity (CVSS 9.8), this vulnerability is
An issue was discovered in GitLab Community and Enterprise Edition 9.x, 10.x, and 11.x before 11.5.8, 11.6.x before 11.6
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15804
GHSA-gwxm-w4m8-m6mp