CVE-2026-2745

MEDIUM severity · CVSS 6.8 · CWE-288

6.8CVSS MEDIUM

Summary

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 7.11 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an unauthenticated user to bypass WebAuthn two-factor authentication and gain unauthorized access to user accounts due to inconsistent input validation in the authentication process.

Impact & exploitability

Attack vectorNetwork

Attack complexityHigh

Privileges requiredLow

User interactionNone

Confidentiality impactHigh

Integrity impactHigh

Availability impactNone

Exploit probability (EPSS)0%

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Affected products we track (1)

GitLab

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Additional information

NVD record
https://about.gitlab.com/releases/2026/03/25/patch-release-gitlab-18-10-1-released/Advisory
https://gitlab.com/gitlab-org/gitlab/-/work_items/590810
https://hackerone.com/reports/3557844