CVE-2026-2745 in Community Edition
Summary
by MITRE • 03/25/2026
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 7.11 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an unauthenticated user to bypass WebAuthn two-factor authentication and gain unauthorized access to user accounts due to inconsistent input validation in the authentication process.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/01/2026
The vulnerability identified as CVE-2026-2745 represents a critical authentication bypass flaw within GitLab's two-factor authentication system that affects multiple version ranges across both Community and Enterprise editions. This security weakness stems from inconsistent input validation mechanisms during the WebAuthn authentication process, creating a pathway for unauthenticated attackers to circumvent the intended security controls. The affected versions span from 7.11 through 18.8.6, 18.9 through 18.9.2, and 18.10 through 18.10.0, indicating a long-standing issue that persisted across numerous releases. The flaw specifically targets the WebAuthn implementation which is designed to provide strong authentication through public key cryptography, making this bypass particularly concerning as it undermines the fundamental security guarantees of the two-factor authentication system.
The technical root cause of this vulnerability lies in the improper validation of authentication inputs within GitLab's WebAuthn authentication flow. When users attempt to authenticate using WebAuthn credentials, the system should rigorously validate all input parameters to ensure they conform to expected formats and security requirements. However, the inconsistent validation logic allows malicious input to pass through undetected, potentially enabling attackers to submit crafted authentication requests that bypass the normal WebAuthn verification process. This type of vulnerability maps to CWE-20, which describes "Improper Input Validation" and falls under the broader category of authentication bypass vulnerabilities that can have severe consequences in identity management systems. The flaw essentially creates a condition where the authentication system fails to properly verify the legitimacy of authentication responses, allowing unauthorized access to user accounts that should require valid WebAuthn credentials.
The operational impact of this vulnerability extends beyond simple unauthorized access, as it represents a fundamental breakdown in GitLab's security architecture that could lead to complete account compromise. An unauthenticated attacker could potentially exploit this weakness to gain access to user accounts without needing valid credentials or WebAuthn tokens, effectively neutralizing the two-factor authentication protection that users rely on for security. This vulnerability particularly affects organizations that depend on GitLab for source code management and collaboration, where compromised accounts could lead to unauthorized code changes, data exfiltration, or system compromise. The risk is amplified because WebAuthn is typically implemented as a security enhancement, and bypassing it undermines the entire security posture of the platform. According to ATT&CK framework, this vulnerability could be categorized under T1078 for Valid Accounts and T1566 for Phishing, as it enables unauthorized access that bypasses normal authentication controls and could be exploited through various attack vectors including social engineering or direct exploitation.
Mitigation strategies for CVE-2026-2745 should prioritize immediate patching of all affected GitLab installations to the recommended versions that contain the security fixes. Organizations should also implement additional monitoring and detection measures to identify potential exploitation attempts, particularly focusing on authentication logs for unusual patterns or multiple failed authentication attempts that might indicate exploitation attempts. Network segmentation and access controls should be reviewed to limit the potential impact of compromised accounts, while security teams should consider implementing additional authentication layers beyond WebAuthn to provide defense in depth. Regular security assessments of authentication systems and input validation mechanisms should be conducted to identify similar inconsistencies that could lead to comparable vulnerabilities. The remediation process should also include thorough testing of the patched systems to ensure that legitimate authentication flows continue to function properly while the vulnerability has been effectively addressed. Organizations that cannot immediately patch should consider disabling WebAuthn authentication temporarily until proper updates can be applied, though this should be balanced against the security implications of reduced authentication strength.