GitLab has patched a critical vulnerability that meant static passwords were inadvertently set during OmniAuth-based registration – putting accounts at risk of malicious takeover.