Critical GitLab Flaw Allows Bypassing Two-Factor Authentication

Hello HaWkers, a serious vulnerability has been discovered in GitLab that allows attackers to completely bypass two-factor authentication (2FA). This flaw affects millions of developers and organizations that rely on the platform to protect their source code.

Do you use GitLab at work or for personal projects? Then you need to understand what happened and how to protect yourself immediately.

What Was Discovered

Security researchers identified a critical flaw in GitLab's 2FA implementation.

Vulnerability Details

CVE-2026-XXXX - Critical Rating:

Aspect	Details
Severity	Critical (CVSS 9.6)
Type	Authentication Bypass
Affected versions	15.x - 17.x
Fixed version	17.8.1+
Exploitation	Remote, no authentication

How the flaw works:

• Attacker initiates login process with valid credentials
• During 2FA verification, a race condition allows bypass
• Attacker obtains authenticated session without providing 2FA code
• Full access to account and repositories

⚠️ Alert: This vulnerability is already being actively exploited on the internet.

Discovery Timeline

• Jan 10, 2026: Researcher reports flaw to GitLab
• Jan 15, 2026: GitLab confirms vulnerability
• Jan 20, 2026: Patch released (17.8.1)
• Jan 22, 2026: Coordinated public disclosure
• Now: Active exploitation detected

Impact For Developers

This vulnerability has serious implications for code security.

What An Attacker Can Do

With access to your GitLab account:

1. Steal source code:

   • Clone private repositories
   • Access secrets in CI/CD
   • Exfiltrate intellectual property

2. Compromise supply chain:

   • Inject malicious code
   • Modify deploy pipelines
   • Create backdoors in releases

3. Escalate privileges:

   • Access other organization projects
   • Modify user permissions
   • Create administrative accounts

4. Persistence:

   • Add own SSH keys
   • Create personal access tokens
   • Configure malicious webhooks

Who Is At Risk

Highest risk:

• Organizations with outdated self-hosted GitLab
• Open source projects with external contributors
• Companies without access monitoring

Moderate risk:

• GitLab.com users (already updated)
• Organizations with active log auditing
• Projects with strict branch protection

How To Check If You Were Affected

Follow these steps to audit your account and organization.

Version Check

# For self-hosted GitLab, check the version
gitlab-rake gitlab:env:info | grep "GitLab information"

# Or via API
curl --header "PRIVATE-TOKEN: <your-token>" \
  "https://your-gitlab.com/api/v4/version"

Vulnerable versions:

• 15.0 to 17.8.0 - VULNERABLE
• 17.8.1+ - FIXED

Suspicious Access Audit

# List active sessions for your account
curl --header "PRIVATE-TOKEN: <your-token>" \
  "https://gitlab.com/api/v4/user/active_sessions"

# Check personal access tokens
curl --header "PRIVATE-TOKEN: <your-token>" \
  "https://gitlab.com/api/v4/personal_access_tokens"

# List SSH keys
curl --header "PRIVATE-TOKEN: <your-token>" \
  "https://gitlab.com/api/v4/user/keys"

Signs of Compromise

Check for:

• Sessions from unknown IPs
• Tokens you don't recognize
• SSH keys that aren't yours
• Commits from unknown authors
• Webhooks to suspicious URLs
• Changes to CI/CD variables

Immediate Protection Actions

If you use GitLab, take these actions now.

For Individual Users

1. Revoke all sessions:

# Via interface: Settings > Active Sessions > Revoke All

# Via API
curl --request DELETE \
  --header "PRIVATE-TOKEN: <your-token>" \
  "https://gitlab.com/api/v4/user/active_sessions"

2. Rotate credentials:

• Change your password
• Regenerate access tokens
• Update SSH keys
• Revoke OAuth application tokens

3. Audit recent activities:

• Review commits from last 30 days
• Check CI/CD changes
• Verify configured webhooks

For Administrators

1. Update immediately:

# Ubuntu/Debian
sudo apt update && sudo apt upgrade gitlab-ee

# Docker
docker pull gitlab/gitlab-ee:17.8.1-ee.0
docker-compose up -d

# Helm
helm upgrade gitlab gitlab/gitlab --set global.edition=ee

2. Force 2FA reset:

# Via rails console
gitlab-rails console

# Disable 2FA for all and force reconfiguration
User.where(otp_required_for_login: true).update_all(otp_required_for_login: false)

3. Enable detailed logs:

# In gitlab.rb
gitlab_rails['audit_events_enabled'] = true
gitlab_rails['audit_events_streaming_enabled'] = true

Security Best Practices

Beyond fixing this flaw, implement defense in depth.

Authentication Hardening

1. Use hardware keys:

// WebAuthn is more secure than TOTP
// Supported by GitLab Premium+
// Configuration at: Settings > Security > Register security key

2. Implement SSO:

• SAML with your corporate IdP
• OIDC for centralized authentication
• Eliminates GitLab passwords

3. Password policies:

• Minimum 16 characters
• Rotation every 90 days
• Lockout after 5 attempts

Repository Protection

Branch protection rules:

# .gitlab-ci.yml - Enforce code review
workflow:
  rules:
    - if: $CI_MERGE_REQUEST_ID
      when: always

merge_request_approval:
  script:
    - |
      if [ "$CI_MERGE_REQUEST_APPROVED" != "true" ]; then
        echo "Merge request must be approved"
        exit 1
      fi

Signed commits:

# Configure GPG signing
git config --global commit.gpgsign true
git config --global user.signingkey YOUR_KEY_ID

# GitLab automatically verifies signatures

Continuous Monitoring

Recommended alerts:

• Login from new IP/device
• Access token creation
• Permission changes
• Commits to protected branches
• Serial authentication failures

Lessons Learned

This incident reinforces important security principles.

Why 2FA Is Not Enough

Necessary protection layers:

Layer	Example	Protects Against
Strong password	16+ chars, unique	Brute force
2FA	TOTP/WebAuthn	Credential theft
Device trust	Certificates	Phishing
Network	VPN/Zero Trust	MITM
Monitoring	SIEM/Alerts	Breach detection

💡 Principle: No security measure is perfect. Defense in depth is essential.

The Race Condition Problem

This vulnerability class is common in authentication systems:

How it occurs:

1. System verifies credential (password)
2. System verifies second factor (2FA)
3. Attacker exploits window between verifications
4. Session is created before complete verification

How to prevent:

• Atomic verifications
• Tokens with consistent state
• Aggressive timeout in auth flows
• Concurrency tests in CI/CD

Supply Chain Security

Implications for open source projects:

• Malicious commits can go unnoticed
• Compromised releases affect downstream
• Trust in maintainer is not enough

Mitigations:

• GPG signature verification
• Reproducible builds
• SBOM (Software Bill of Materials)
• Dependency scanning

What To Expect

GitLab and other platforms are responding.

GitLab's Next Steps

Announced:

• Complete audit of authentication flows
• Increased bug bounty for auth flaws
• New security program for self-hosted
• Compromise detection tools

Code Security Trends

2026-2027:

• Passkeys replacing passwords
• Zero Trust in development environments
• AI for anomaly detection
• Stricter regulations

Conclusion

The critical GitLab flaw is a reminder that even mature platforms can have serious vulnerabilities. For developers, source code security is as important as the security of the final product.

Immediate actions:

1. Check your GitLab version and update to 17.8.1+
2. Revoke all active sessions
3. Audit tokens, SSH keys, and webhooks
4. Implement access monitoring
5. Consider hardware keys for 2FA

Long term:

6. Adopt defense in depth
7. Implement signed commits
8. Configure strict branch protection
9. Maintain incident response plan

Security is not a destination, it's a continuous journey. This vulnerability affects millions of developers, but with the right actions, we can minimize the impact and strengthen our defenses.

For more on development security, read: SMS Authentication Links: The Vulnerability You Need to Know.

Let's go! 🦅