"The hole is one of five vulnerabilities patched Wednesday as part of new versions of GitLab. Three are ranked High in severity, including the 2FA bypass issue, while the other two are ranked Medium in severity. GitLab says the 2FA hole, CVE-2026-0723, if exploited on an unpatched system, could allow an individual with knowledge of a victim's ID credentials to bypass two-factor authentication by submitting forged device responses."
"If a threat actor can access an account, they can do almost unlimited damage to IT systems. In the case of GitLab, if critical code is sitting in a developer's account, a threat actor could compromise it, notes David Shipley, head of Canadian-based security awareness training firm Beauceron Security. If that code is to be used in software that can be downloaded or sold to other organizations, then inserted malware could be spread in a supply chain attack."
A critical two-factor authentication bypass vulnerability (CVE-2026-0723) affects GitLab Community and Enterprise editions and requires immediate patching. The flaw is one of five vulnerabilities addressed in new GitLab releases; three are rated High and two Medium. An attacker possessing a user's ID credentials can bypass 2FA by submitting forged device responses, enabling account takeover. Compromised developer accounts can expose critical code, allow insertion of malware into distributed software, and facilitate supply-chain attacks. Compromised code can also reveal cloud secrets and grant access to Azure, AWS, or GCP. SaaS and web GitLab versions have been patched; on-premises instances must be upgraded.
Read at InfoWorld
Unable to calculate read time
Collection
[
|
...
]