Improper Access Control in GitLab Affects Multiple Versions
CVE-2026-5173

8.5HIGH

Key Information:

Vendor: Gitlab
Status: Gitlab
Vendor: CVE Published:; 8 April 2026

What is CVE-2026-5173?

An access control issue was discovered in GitLab CE/EE that spanned several versions and could enable authenticated users to exploit websocket connections. This vulnerability resulted from inadequate access restrictions, potentially allowing unauthorized actions within the server. The issue has been addressed in the latest patches, highlighting the importance of regular updates to mitigate such risks.

Affected Version(s)

GitLab 16.9.6 < 18.8.9

GitLab 18.9 < 18.9.5

GitLab 18.10 < 18.10.3

References

https://gitlab.com/gitlab-org/gitlab/-/work_items/588959

https://about.gitlab.com/releases/2026/04/08/patch-releas...

CVSS V3.1

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Mar 30, 2026

Credit

This vulnerability has been discovered internally by GitLab team member Simon Tomlinson

CVE-2026-5173 Data

JSON