SB2026012124 - Multiple vulnerabilities in GitLab Community Edition (CE) and Enterprise Edition (EE)

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2025-13927)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in Jira Connect integration. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

2) Incorrect authorization (CVE-ID: CVE-2025-13928)

The vulnerability allows a remote attacker to bypass authorization process.

The vulnerability exists due to incorrect authorization in Releases API. A remote attacker can perform a denial of service (DoS) attack on the target system.

3) Unchecked Return Value (CVE-ID: CVE-2026-0723)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to unchecked return value in authentication services. A remote attacker can submit forged device responses and bypass two-factor authentication.

4) Infinite loop (CVE-ID: CVE-2025-13335)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop in Wiki redirects. A remote user can consume all available system resources and cause denial of service conditions.

5) Input validation error (CVE-ID: CVE-2026-1102)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in API endpoint. A remote attacker can send specially crafted SSH authentication requests and perform a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

• https://about.gitlab.com/releases/2026/01/21/patch-release-gitlab-18-8-2-released/