Home / Vulnerability Intelligence / CVE-2026-5173

CVE-2026-5173 - Vulnerability Analysis

HighCVSS: 8.5

Last Updated: April 8, 2026

GitLab CE/EE - Broken Access Control

Published: April 8, 2026Updated: April 8, 2026Remote Exploitable

Overview

GitLab CE/EE >= 16.9.6 < 18.8.9, 18.9 < 18.9.5, and 18.10 < 18.10.3 contain a broken access control vulnerability caused by improper access control in websocket connections, letting authenticated users invoke unintended server-side methods.

Severity & Score

Severity: High

CVSS Score: 8.5

Impact

Authenticated users can invoke unintended server-side methods, potentially leading to unauthorized actions or data access.

Mitigation

Update to GitLab CE/EE 18.8.9, 18.9.5, 18.10.3 or later.

References

https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/
https://gitlab.com/gitlab-org/gitlab/-/work_items/588959

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-5173
Severity: High
CVSS Score: 8.5
Type: broken_access_control
Status: new

CWE

CWE-749

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N