Platform
gitlab
Component
gitlab
Fixed in
18.8.9
18.9.5
18.10.3
CVE-2026-5173 represents a security vulnerability identified in GitLab CE/EE. It allows an authenticated user to potentially invoke unintended server-side methods through websocket connections, stemming from improper access controls. This issue impacts GitLab versions from 16.9.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3. A fix is available in version 18.10.3.
CVE-2026-5173 affects GitLab CE/EE versions from 16.9.6 up to 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3. This vulnerability allows an authenticated user to invoke unintended server-side methods through WebSocket connections due to improper access controls. A malicious actor could potentially exploit this flaw to perform unauthorized actions within GitLab, compromising data integrity and confidentiality. The vulnerability's severity is rated as 8.5 on the CVSS scale, indicating a significant risk. Applying the security update is crucial to mitigate this risk.
The vulnerability is exploited through WebSocket connections, a bidirectional communication protocol enabling real-time communication between the client and server. An authenticated user could manipulate WebSocket requests to invoke server methods that would normally not be available to them. The impact of this exploitation depends on the authenticated user’s permissions and the functionality of the invoked server methods. Successful exploitation could result in data modification, arbitrary code execution, or unauthorized access to confidential information.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The solution for CVE-2026-5173 is to upgrade to GitLab version 18.10.3 or later, 18.9.5 or later, or 18.8.9 or later. GitLab has released these updates to address the access control flaw. GitLab administrators are strongly encouraged to apply these updates as soon as possible to protect their GitLab instances from potential attacks. Additionally, review GitLab’s access policies and permissions to ensure users only have access to the resources they require. Monitor GitLab logs for unusual activity that may indicate an exploitation attempt.
Update GitLab to version 18.10.3 or later, 18.9.5 or later, or 18.8.10 or later to mitigate the vulnerability. This update corrects an access control flaw that allowed authenticated users to invoke unintended server-side methods through WebSocket connections. See the release notes for more details.
Vulnerability analysis and critical alerts directly to your inbox.
Affected versions are GitLab CE/EE from 16.9.6 up to 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3.
Check your GitLab instance's version and compare it with the listed vulnerable versions. You can also consult GitLab's release notes for information about this vulnerability.
If you cannot update immediately, consider implementing temporary mitigation measures, such as restricting access to WebSocket connections or monitoring GitLab logs for unusual activity.
Some vulnerability scanning tools may detect this vulnerability. Consult your scanning tool's documentation for more information.
You can find more information about this vulnerability in the GitLab security advisory: [Link to GitLab security advisory]
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.