GitLab CE/EE websocket access bypass (CVE-2026-5173)

Vendor-confirmed - CVE-2026-5173 is a high improper access control in GitLab CE/EE (vers. 16.9.6-18.8.8, 18.9-18.9.4, 18.10-18.10.2) that lets authenticated low-privilege users invoke unauthorized server-side methods via websocket connections. Patch now to versions 18.8.9, 18.9.5, or 18.10.3.

Overview

A high-severity improper access control vulnerability, tracked as CVE-2026-5173, has been patched in GitLab Community and Enterprise Editions (CE/EE). This flaw affects a wide range of versions and could allow an authenticated user to invoke unintended server-side methods through websocket connections.

Vulnerability Details

The vulnerability stems from insufficient access controls on websocket endpoints. In affected versions, an authenticated user-requiring only low-level privileges-could send crafted requests via a websocket connection. These requests could trigger server-side methods that the user should not have permission to access. The attack can be launched remotely over the network with low complexity and requires no user interaction, making it a reliable vector for exploitation.

Affected Versions

The vulnerability impacts:

• GitLab CE/EE versions 16.9.6 and later, but before 18.8.9
• All versions from 18.9 before 18.9.5
• All versions from 18.10 before 18.10.3

All deployments, including self-managed and GitLab Dedicated instances, are affected. GitLab.com was already running a patched version at the time of disclosure.

Potential Impact

Successful exploitation could allow an attacker to perform unauthorized actions on the GitLab instance. The specific impact depends on which server-side methods are invoked, but it could potentially lead to data exposure, data manipulation, or disruption of service. The high CVSS score of 8.5 reflects the ease of attack and the potential for significant compromise of the application’s integrity and confidentiality.

Remediation and Mitigation

The primary remediation is immediate patching. Administrators must upgrade their GitLab instances to a secure version:

• Upgrade to GitLab CE/EE 18.8.9, 18.9.5, or 18.10.3 or later.

If immediate patching is not possible, consider restricting network access to the GitLab instance as a temporary measure, limiting exposure to trusted networks only. Ensure you are monitoring for unusual websocket activity or unauthorized administrative actions. For the latest on data exposures, review recent breach reports.

Security Insight

This vulnerability highlights the persistent security challenge of correctly implementing authorization checks for real-time communication channels like websockets, which are often added after core application logic. Similar to past incidents in other platforms, it underscores that access control must be consistently enforced across all entry points, not just traditional HTTP request/response cycles. For ongoing developments in such threats, follow security news.

Update - May 2026

GitLab has released patches for versions 18.8.9, 18.9.5, and 18.10.3 addressing CVE-2026-5173, which allows authenticated users to invoke unintended code paths via crafted API requests to the merge request diff endpoint. As of May 12, 2026, this vulnerability is not yet listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, though monitoring is advised as exploitation likelihood may increase with public PoC availability. The Exploit Prediction Scoring System (EPSS) score has risen slightly from 0.00021 to 0.0003 (7th percentile), reflecting minimal but marginally increased interest in exploitation. No related CVEs in the GitLab CE/EE authentication or API surface have been published this month, though defenders should remain vigilant for chained attacks against recently patched GitLab flaws (e.g., CVE-2026-4129, a stored XSS patched in March 2026). No confirmed active exploitation in the wild has been reported; network detection signatures focusing on anomalous API calls to /api/v4/projects/*/merge_requests/*/diffs with non-standard parameters are recommended. Action: Immediately upgrade all GitLab instances to patched versions and review audit logs for unauthorized merge request diff access from low-privilege accounts.

Further Reading

• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs