CVE-2026-2745 Overview
A critical authentication bypass vulnerability has been identified in GitLab CE/EE that allows unauthenticated attackers to bypass WebAuthn two-factor authentication (2FA) and gain unauthorized access to user accounts. The vulnerability stems from inconsistent input validation in the authentication process, enabling attackers to circumvent WebAuthn-based security controls that are designed to provide strong multi-factor authentication protection.
This vulnerability affects a wide range of GitLab versions spanning from 7.11 through 18.10.0, representing a significant security risk for organizations relying on WebAuthn 2FA to protect their GitLab instances and the sensitive source code repositories they contain.
Critical Impact
Attackers can bypass WebAuthn two-factor authentication to gain unauthorized access to GitLab user accounts, potentially compromising source code, CI/CD pipelines, and sensitive organizational data.
Affected Products
- GitLab Community Edition (CE) versions 7.11 to 18.8.6
- GitLab Enterprise Edition (EE) versions 7.11 to 18.8.6
- GitLab CE/EE versions 18.9.0 to 18.9.2
- GitLab CE/EE version 18.10.0
Discovery Timeline
- 2026-03-25 - CVE-2026-2745 published to NVD
- 2026-03-25 - GitLab releases security patch versions 18.8.7, 18.9.3, and 18.10.1
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-2745
Vulnerability Analysis
CVE-2026-2745 is classified under CWE-288 (Authentication Bypass Using an Alternate Path or Channel), indicating that the vulnerability allows attackers to circumvent the intended authentication flow. The issue lies in how GitLab processes authentication requests when WebAuthn 2FA is enabled.
The vulnerability is network-accessible and can be exploited without user interaction, making it particularly dangerous for internet-facing GitLab instances. The attack requires low privileges to initiate, though successful exploitation results in high impact to both confidentiality and integrity of affected systems. This means attackers could potentially read sensitive repository contents, modify code, and manipulate CI/CD pipelines.
The root cause appears to be inconsistent input validation within the authentication process, where certain authentication paths do not properly enforce WebAuthn verification, allowing attackers to bypass the second factor entirely.
Root Cause
The vulnerability originates from inconsistent input validation in GitLab's authentication process. When users authenticate with WebAuthn-based two-factor authentication enabled, there exists a code path where the WebAuthn verification can be bypassed due to improper validation of authentication inputs. This inconsistency allows an attacker to craft requests that skip the WebAuthn challenge-response verification while still completing the authentication flow successfully.
Attack Vector
The attack vector is network-based, allowing remote exploitation without requiring any user interaction. An attacker targeting a vulnerable GitLab instance can:
- Initiate an authentication request to the GitLab server
- Exploit the inconsistent input validation to craft a malformed authentication request
- Bypass the WebAuthn 2FA challenge verification step
- Gain unauthorized access to user accounts that have WebAuthn 2FA enabled
The vulnerability allows attackers to undermine the security guarantees provided by hardware security keys and platform authenticators that implement WebAuthn. For detailed technical information, refer to the HackerOne Report #3557844 and GitLab Work Item #590810.
Detection Methods for CVE-2026-2745
Indicators of Compromise
- Successful authentication events for accounts with WebAuthn 2FA enabled that lack corresponding WebAuthn challenge completion logs
- Unusual login patterns or geographic anomalies for accounts protected by WebAuthn
- Authentication log entries showing incomplete or missing 2FA verification steps
- Unexpected API access or repository changes from accounts with hardware key requirements
Detection Strategies
- Monitor GitLab authentication logs for login successes that bypass the expected WebAuthn verification flow
- Implement alerting for authentication events that complete without proper 2FA challenge-response sequences
- Audit access logs for accounts with WebAuthn enabled to identify any suspicious activity patterns
- Deploy SentinelOne Singularity Platform to detect and correlate suspicious authentication bypass attempts across your infrastructure
Monitoring Recommendations
- Enable detailed authentication logging in GitLab to capture all authentication flow steps
- Set up alerts for authentication anomalies, particularly for privileged accounts with 2FA enabled
- Regularly review GitLab audit logs for signs of unauthorized access or privilege escalation
- Implement network-level monitoring for unusual authentication traffic patterns to GitLab instances
How to Mitigate CVE-2026-2745
Immediate Actions Required
- Upgrade GitLab CE/EE to patched versions 18.8.7, 18.9.3, or 18.10.1 immediately
- Audit authentication logs for any signs of exploitation prior to patching
- Review recent account access for users with WebAuthn 2FA enabled
- Consider temporarily restricting external access to GitLab instances until patches are applied
Patch Information
GitLab has released security patches addressing this vulnerability in versions 18.8.7, 18.9.3, and 18.10.1. Organizations should upgrade to the appropriate patched version based on their current release branch:
- For 18.8.x installations: Upgrade to 18.8.7
- For 18.9.x installations: Upgrade to 18.9.3
- For 18.10.x installations: Upgrade to 18.10.1
Refer to the GitLab Patch Release Announcement for detailed upgrade instructions and additional security fixes included in these releases.
Workarounds
- Restrict network access to GitLab instances using firewall rules or VPN requirements while awaiting patch deployment
- Enable additional authentication controls at the network layer such as IP allowlisting for critical users
- Monitor and audit all authentication events closely for signs of bypass attempts
- Consider implementing time-based one-time password (TOTP) as an additional 2FA method alongside WebAuthn
# Example: Restrict GitLab access via firewall while patching
# Allow only trusted IP ranges to access GitLab
sudo ufw allow from 10.0.0.0/8 to any port 443
sudo ufw allow from 192.168.0.0/16 to any port 443
sudo ufw deny 443
# Verify GitLab version before and after upgrade
gitlab-rake gitlab:env:info | grep "GitLab"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
