GitLab CE/EE websocket access bypass (CVE-2026-5173)

Overview

A high-severity improper access control vulnerability, tracked as CVE-2026-5173, has been patched in GitLab Community and Enterprise Editions (CE/EE). This flaw affects a wide range of versions and could allow an authenticated user to invoke unintended server-side methods through websocket connections.

Vulnerability Details

The vulnerability stems from insufficient access controls on websocket endpoints. In affected versions, an authenticated user-requiring only low-level privileges-could send crafted requests via a websocket connection. These requests could trigger server-side methods that the user should not have permission to access. The attack can be launched remotely over the network with low complexity and requires no user interaction, making it a reliable vector for exploitation.

Affected Versions

The vulnerability impacts:

• GitLab CE/EE versions 16.9.6 and later, but before 18.8.9
• All versions from 18.9 before 18.9.5
• All versions from 18.10 before 18.10.3

All deployments, including self-managed and GitLab Dedicated instances, are affected. GitLab.com was already running a patched version at the time of disclosure.

Potential Impact

Successful exploitation could allow an attacker to perform unauthorized actions on the GitLab instance. The specific impact depends on which server-side methods are invoked, but it could potentially lead to data exposure, data manipulation, or disruption of service. The high CVSS score of 8.5 reflects the ease of attack and the potential for significant compromise of the application’s integrity and confidentiality.

Remediation and Mitigation

The primary remediation is immediate patching. Administrators must upgrade their GitLab instances to a secure version:

• Upgrade to GitLab CE/EE 18.8.9, 18.9.5, or 18.10.3 or later.

If immediate patching is not possible, consider restricting network access to the GitLab instance as a temporary measure, limiting exposure to trusted networks only. Ensure you are monitoring for unusual websocket activity or unauthorized administrative actions. For the latest on data exposures, review recent breach reports.

Security Insight

This vulnerability highlights the persistent security challenge of correctly implementing authorization checks for real-time communication channels like websockets, which are often added after core application logic. Similar to past incidents in other platforms, it underscores that access control must be consistently enforced across all entry points, not just traditional HTTP request/response cycles. For ongoing developments in such threats, follow security news.

Further Reading

• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs