- gitlab
- webauthn
- auth-bypass
- cve
- 2fa
news
GitLab WebAuthn 2FA Bypass (CVE-2026-2745)
Authentication bypass in GitLab WebAuthn 2FA due to inconsistent input validation; indexed on Sploitus Exploits of the week.
Summary
CVE-2026-2745 is an authentication bypass in GitLab CE/EE that allows an attacker to circumvent WebAuthn two-factor authentication due to inconsistent input validation across authentication code paths. Sploitus featured it in Exploits of the week under the title Exploit for Authentication Bypass Using an Alternate Path or Channel in Gitlab. No public weaponized PoC was confirmed at indexing time; Feedly and Tenable report no known public exploits, but the advisory metadata is widely mirrored in exploit search engines.
This coverage cites Sploitus as the weekly index source, not an OFFSITE.DARK release.
Technical Details
GitLab supports WebAuthn (hardware keys, platform authenticators) as a second factor alongside TOTP and recovery codes. The flaw is categorized as CWE-288: Authentication Bypass Using an Alternate Path or Channel.
| Aspect | Detail |
|---|---|
| Root cause | Inconsistent input validation in WebAuthn assertion handling |
| Attack vector | Network; low-privilege account with known primary credentials |
| User interaction | None required after primary credential compromise |
| Fixed releases | 18.8.7, 18.9.3, 18.10.1 (2026-03-25 patch train) |
An attacker who possesses a victim's username/password (phishing, credential stuffing, prior breach) can craft authentication requests that traverse a validation path failing to verify the WebAuthn assertion, completing login without the second factor.
| Branch | Affected | Patched |
|---|---|---|
| 18.8.x | 7.11 → before 18.8.7 | 18.8.7+ |
| 18.9.x | before 18.9.3 | 18.9.3+ |
| 18.10.x | before 18.10.1 | 18.10.1+ |
CVSS 3.1: 6.8 (Medium) per GitLab — AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N. NVD later assigned 8.1 High with PR:L.
CVE
| Field | Value |
|---|---|
| CVE | CVE-2026-2745 |
| CWE | CWE-288 |
| Vendor advisory | GitLab 18.10.1 patch release |
| Disclosure | 2026-03-25 |
| Public PoC | Not confirmed (monitor Sploitus/VulDB indexes) |
Impact
Bypassing WebAuthn 2FA on accounts with only password + WebAuthn enabled yields full account takeover — access to private repositories, CI/CD secrets, deploy tokens, and admin functions for privileged users. Self-managed GitLab instances lagging the March 2026 patch train remain exposed. GitLab.com was patched at release.
Mitigation
- Upgrade to GitLab 18.8.7, 18.9.3, or 18.10.1 (or newer supported release) immediately.
- Enforce TOTP or recovery codes alongside WebAuthn where policy allows, or temporarily disable WebAuthn 2FA until patched (GitLab advisory mitigation path).
- Restrict network access to GitLab during emergency patching; monitor authentication logs for successful logins without WebAuthn challenge completion.
- Rotate credentials for high-value accounts if the instance was unpatched since 2026-03-25.
- Subscribe to GitLab security releases and re-check Sploitus if a PoC appears.
Sources
- Sploitus search — CVE-2026-2745 (weekly index reference)
- GitLab patch release — CVE-2026-2745
- NVD — CVE-2026-2745