GitLab Product Security Update Advisory (CVE-2026-5173)

Overview.

---

A vulnerability (CVE-2026-5173) was reported in the GitLab product that allows server-side method calls due to lack of WebSocket access control.

Affected Versions.

---

• GitLab CE/EE versions 16.9.6 and above but below 18.8.9 are affected.
• GitLab CE/EE versions 18.9 and above but below 18.9.5 are affected.
• GitLab CE/EE versions 18.10 and higher but lower than 18.10.3 are affected.

Vulnerability details and impact.

---

the vulnerability is due to insufficient access control in WebSocket, which could allow remote invocation of server-side methods.
the vulnerability could be exploited to bypass authentication, perform privileged actions, or disclose sensitive information.

Workaround and patch information.

---

the vulnerability has been fixed in a GitLab patch release.
the fixed patch versions are GitLab CE/EE 18.8.9, 18.9.5, and 18.10.3.
reference is GitLab’s patch release announcement documentation.

Advisory.

---

affected GitLab instances need to be updated to the provided patch version.
before applying the patch, you may want to review your least privilege policy and network controls, as well as any other mitigation measures.