CVE-2026-5173
Published: 08 April 2026
Summary
CVE-2026-5173 is a high-severity Exposed Dangerous Method or Function (CWE-749) vulnerability in Gitlab Gitlab. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-5173 is an improper access control vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE), affecting all versions from 16.9.6 prior to 18.8.9, 18.9 prior to 18.9.5, and 18.10 prior to 18.10.3. The flaw enables an authenticated user to invoke unintended server-side methods through WebSocket connections, as disclosed on 2026-04-08.
An attacker requires only a low-privilege authenticated account (PR:L) to exploit this over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation changes scope (S:C), resulting in high confidentiality impact (C:H) through unauthorized access to sensitive data, low integrity impact (I:L), and no availability impact (A:N), yielding a CVSS v3.1 base score of 8.5. The issue maps to CWE-749 (Exposed Dangerous Method or Function).
GitLab has remediated the vulnerability via patches, including the release of GitLab 18.10.3, as documented in their patch release notes at https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/. Further technical details are available in GitLab work item 588959 at https://gitlab.com/gitlab-org/gitlab/-/work_items/588959. Affected instances should be upgraded to patched versions to prevent exploitation.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-20802
Vulnerability details
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.9.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to invoke unintended server-side methods through websocket connections due to improper…
more
access control.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in the public-facing GitLab application allows an authenticated low-privilege user to invoke unintended server-side methods via WebSocket, directly enabling exploitation of a public-facing app (T1190) and resulting in scope-changing unauthorized sensitive data access that facilitates privilege escalation (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces approved authorizations for logical access, preventing authenticated users from invoking unintended server-side methods through WebSocket connections due to improper access control.
Limits user privileges to the minimum necessary, reducing the scope and impact of exploitation by low-privilege authenticated accounts accessing sensitive data.
Requires timely identification, prioritization, and remediation of flaws like this CVE through patching to GitLab versions 18.8.9, 18.9.5, or 18.10.3.