CVE-2026-5173

Published Apr 8, 2026

Last updated 17 hours ago

CVSS high 8.5

Overview

Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.9.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to invoke unintended server-side methods through websocket connections due to improper access control.
Source
cve@gitlab.com
NVD status
Analyzed
Products
gitlab

Risk scores

CVSS 3.1

Type
Secondary
Base score
8.5
Impact score
4.7
Exploitability score
3.1
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Severity
HIGH

Weaknesses

cve@gitlab.com
CWE-749

Social media

Hype score
Not currently trending

  1. ⚠️ Vulnerabilidades en productos GitLab ❗ CVE-2026-5173 ❗ CVE-2026-1092 ❗ CVE-2025-12664 ➡️ Más info: https://t.co/3GU5SIpUvx https://t.co/D1iCzaS7Aq

    @CERTpy

    16 Apr 2026

    107 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2026-5173, CVE-2026-1092, CVE-2025-12664 and other: Vulnerabilities in GitLab CE and EE, up to 8.5 rating 🔥 Several vulnerabilities in GitLab could compromise code integrity and allow an unauthenticated user to cause denial of service. 👉https://t.co/Zbj1GEqSyV https:/

    @Netlas_io

    11 Apr 2026

    500 Impressions

    2 Retweets

    3 Likes

    5 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user with custom role permissions to demote or remove higher-privileged group members due to improper authorization checks on member management operations.CVE-2026-4916
  2. GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that, in customizable analytics dashboards, could have allowed an authenticated user to execute arbitrary JavaScript in the context of other users' browsers due to improper input sanitization.CVE-2026-4332
  3. GitLab has remediated an issue in GitLab EE affecting all versions from 18.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that under certain circumstances could have allowed an authenticated user with auditor privileges to modify vulnerability flag data in private projects due to incorrect authorization.CVE-2026-2619
  4. GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to access confidential issues assigned to other users via CSV export due to insufficient authorization checks.CVE-2026-2104
  5. GitLab has remediated an issue in GitLab EE affecting all versions from 11.3 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user with developer-role permissions to modify protected environment settings due to improper authorization checks in the API.CVE-2026-1752

References

Sources include official advisories and independent security research.