Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.9.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to invoke unintended server-side methods through websocket connections due to improper access control.
Published: 2026-04-08
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: Unauthorized Method Execution
Action: Immediate Patch
AI Analysis

Impact

GitLab’s Community and Enterprise editions contain a flaw that permits an authenticated user to trigger unintended server‑side methods through websocket connections. The improper access control allows these users to invoke functions that should not be available to them, leading to unauthorized execution of privileged actions. This weakness is classified as CWE‑749, describing a dangerous method that was exposed.

Affected Systems

All GitLab Community and Enterprise edition releases from 16.9.6 up to 18.8.8, from 18.9.0 through 18.9.4, and from 18.10.0 through 18.10.2 are affected. The recommended fix applies to 18.8.9, 18.9.5, 18.10.3, and later versions.

Risk and Exploitability

The CVSS score of 8.5 indicates a high severity risk. The vulnerability requires the attacker to be authenticated and to send crafted websocket frames to the GitLab server. The attack vector is inferred to be the websocket protocol, as the description references websocket connections. While specific exploit probabilities are not publicly available, the high CVSS score and potential for unauthorized method execution make remediation urgent.

Generated by OpenCVE AI on April 9, 2026 at 00:22 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.8.9, 18.9.5, 18.10.3 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab to a fixed release (18.8.9, 18.9.5, 18.10.3 or newer).
  • Verify that the upgrade includes all security patches for the affected builds.
  • Restrict access to the websocket endpoint so that only authorized users can send frames to the server.
  • Monitor logs for unusual websocket activity or unexpected method calls that could indicate exploitation attempts.

Generated by OpenCVE AI on April 9, 2026 at 00:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.9.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to invoke unintended server-side methods through websocket connections due to improper access control.
Title Exposed Dangerous Method or Function in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-749
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-04-08T22:25:12.946Z

Reserved: 2026-03-30T16:33:59.755Z

Link: CVE-2026-5173

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-08T23:17:00.220

Modified: 2026-04-08T23:17:00.220

Link: CVE-2026-5173

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:25:42Z

Weaknesses