CVE-2026-5173
Published: 08 April 2026
Summary
CVE-2026-5173 is a high-severity Exposed Dangerous Method or Function (CWE-749) vulnerability in Gitlab Gitlab. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly enforces approved authorizations for logical access, preventing authenticated users from invoking unintended server-side methods through WebSocket connections due to improper access control.
Limits user privileges to the minimum necessary, reducing the scope and impact of exploitation by low-privilege authenticated accounts accessing sensitive data.
Requires timely identification, prioritization, and remediation of flaws like this CVE through patching to GitLab versions 18.8.9, 18.9.5, or 18.10.3.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in the public-facing GitLab application allows an authenticated low-privilege user to invoke unintended server-side methods via WebSocket, directly enabling exploitation of a public-facing app (T1190) and resulting in scope-changing unauthorized sensitive data access that facilitates privilege escalation (T1068).
NVD Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.9.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to invoke unintended server-side methods through websocket connections due to improper…
more
access control.
Deeper analysisAI
CVE-2026-5173 is an improper access control vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE), affecting all versions from 16.9.6 prior to 18.8.9, 18.9 prior to 18.9.5, and 18.10 prior to 18.10.3. The flaw enables an authenticated user to invoke unintended server-side methods through WebSocket connections, as disclosed on 2026-04-08.
An attacker requires only a low-privilege authenticated account (PR:L) to exploit this over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation changes scope (S:C), resulting in high confidentiality impact (C:H) through unauthorized access to sensitive data, low integrity impact (I:L), and no availability impact (A:N), yielding a CVSS v3.1 base score of 8.5. The issue maps to CWE-749 (Exposed Dangerous Method or Function).
GitLab has remediated the vulnerability via patches, including the release of GitLab 18.10.3, as documented in their patch release notes at https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/. Further technical details are available in GitLab work item 588959 at https://gitlab.com/gitlab-org/gitlab/-/work_items/588959. Affected instances should be upgraded to patched versions to prevent exploitation.
Details
- CWE(s)