CVE-2025-11984

Published: Dec 11, 2025Modified: Dec 23, 2025

6.8

Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Exploitability: 1.6 / Impact: 5.2

Source: cve@gitlab.com (Secondary)

Description

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to bypass WebAuthn two-factor authentication by manipulating the session state under certain conditions.

Affected (6)

Products: Gitlab: Gitlab

Gitlab

1 product

Gitlab

Configuration A

6 vulnerable

Vulnerable Software	Affected Versions
Gitlab Gitlab	From 13.1.0 to 18.4.6
Gitlab Gitlab	From 18.5.0 to 18.5.4
Gitlab Gitlab	From 18.6.0 to 18.6.2
Gitlab Gitlab	From 13.1.0 to 18.4.6
Gitlab Gitlab	From 18.5.0 to 18.5.4
Gitlab Gitlab	From 18.6.0 to 18.6.2

Related CWEs

CWE-288

Authentication Bypass Using an Alternate Path or Channel

A product requires authentication, but the product has an alternate path or channel that does not require authentication.

References (3)

https://about.gitlab.com/releases/2025/12/10/patch-release-gitlab-18-6-2-released/

Source: cve@gitlab.com

Release NotesVendor Advisory

https://gitlab.com/gitlab-org/gitlab/-/issues/577847

Source: cve@gitlab.com

Broken Link

https://hackerone.com/reports/3322714

Source: cve@gitlab.com

Permissions Required

Timeline

No history available yet.