EUVD-2026-20802
GHSA-5gj7-3j23-w2h2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Lifecycle Timeline
3Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.9.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to invoke unintended server-side methods through websocket connections due to improper access control.
Analysis
Improper access control in GitLab CE/EE 16.9.6-18.10.2 enables authenticated attackers to invoke unauthorized server-side methods via websocket connections, achieving high-severity information disclosure with changed scope. Affects continuous integration/deployment platforms running vulnerable GitLab instances. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all GitLab instances and identify those running versions 16.9.6-18.10.2; immediately restrict websocket access at network boundaries and disable websocket functionality if operationally feasible. Within 7 days: Upgrade to GitLab CE/EE 18.10.3 or later (if patch released) or implement compensating controls; audit CI/CD job logs and pipeline variable access for unauthorized activity. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today