SaaS platform GitLab, one of the leading DevOps platforms, recently revealed several high security updates. These updates mitigate a number of critical-severity vulnerabilities found in its Community (CE) and Enterprise Edition (EE). Vulnerabilities CVE-2025-13927, CVE-2025-13928 and CVE-2026-0723 are associated flaws that may permit unauthenticated access and raise the possibility of denial-of-service (DoS) states. These vulnerabilities present huge risks to end users.
All major versions, from the latest down to at least 15.0, are affected by the vulnerabilities. This covers 11.9 through, but not including, 18.6.4, 18.7 before 18.7.2 & 18.8 before 18.8.2. Both CVE-2025-13927 and CVE-2025-13928 have a Common Vulnerability Scoring System (CVSS) score of 7.5, underscoring their criticality. Unauthenticated users would be able to break the system by submitting specifically crafted requests containing bad data. This forced exploitation can lead to denial-of-service (DoS) conditions that make the service unavailable.
Detailed Analysis of Vulnerabilities
CVE-2025-13927 allows unauthenticated users to make specially crafted requests. Each of these requests can put a system into a Denial of Service (DoS) state by employing corrupted authentication information. This vulnerability affects users on all versions of GitLab. These vulnerabilities are serious, and organizations need to move fast to mitigate them by applying patches as they become available.
In the same way, CVE-2025-13928 introduces a broken access control flaw across in the Releases API. This critical issue can be exploited by unauthenticated users to generate a DoS condition. That said, it’s vital for anyone still using those vulnerable versions to act quickly and decisively.
Moreover, CVE-2026-0723 poses another serious threat, rated 7.4 CVSS score. However, anyone who has knowledge of a victim’s credential ID can take advantage of this vulnerability. They can bypass 2FA protections with ease by sending counterfeit device responses. This bug uniquely impacts 18.6 < 18.6.4, 18.7 < 18.7.2 and 18.8 < 18.8.2.
“A command injection vulnerability in Zoom Node Multimedia Routers (MMRs) before version 5.2.1716.0 may allow a meeting participant to conduct remote code execution of the MMR via network access,” – Zoom
Additional Medium-Severity Bugs
Beyond the severe vulnerabilities mentioned above, GitLab fixed two medium-severity issues that could cause DoS scenarios. These issues are respectively tracked as CVE-2025-13335 with CVSS score 6.5 and CVE-2026-1102 with CVSS score 5.3.
The risk for these medium-severity vulnerabilities is not as high as the higher-rated vulnerabilities. Unfortunately, they are not immune to your negligence and require your importance to keep them secure and stable across GitLab environments.
Importance of Prompt Updates
For organizations that rely on GitLab, the time to act is now. They must deploy these new security patches as soon as possible to defend their systems from imminent attacks associated with these vulnerabilities. Neglecting to rectify these concerns may compromise sensitive information and services, opening the door to devastating operational downtime.