GitLab CE/EE WebSocket exposed method access control bypass

This repository is a small standalone Python proof-of-concept for CVE-2026-5173 targeting GitLab WebSocket/GraphQL functionality. It contains two files: a single executable Python script (CVE-2026-5173.py) and a README with usage, affected versions, and lab setup guidance. The exploit logic is straightforward: it normalizes a supplied target URL, converts it to a WebSocket endpoint by appending /-/cable, sets an Origin header matching the target, connects with the Python websockets library, subscribes to the GitLab ActionCable GraphqlChannel, and then iterates through a hardcoded list of candidate GraphQL methods. For each method it sends an ActionCable message with action=execute and a GraphQL query intended to retrieve user or node data. Responses containing "data" or "result" are treated as signs of successful unauthorized access and printed to stdout. Main capabilities: WebSocket connection to GitLab, GraphqlChannel subscription, enumeration of multiple likely sensitive GraphQL methods, and display of returned data that may include users, projects, namespaces, statistics, or internal/admin-related objects. There is no post-exploitation payload, persistence, shell, or command execution. The script is best characterized as a research PoC for unauthorized data access validation rather than a full weaponized exploit. Notable implementation detail: although the README claims support for a Personal Access Token and the CLI accepts --token, the token is never used in headers, cookies, or messages. That means authentication handling is incomplete in the actual code. Overall, this is a minimal network/web exploit PoC focused on probing GitLab's /-/cable WebSocket endpoint for unauthorized GraphQL method execution and data disclosure.