Mattermost plugin versions up to 11.5, 11.1.5, 10.13.11, and 11.3.4.0 lack proper authorization checks when processing GitLab plugin commands. A normal registered user can invoke the {{gitlab instance {option}}} or {{/gitlab webhook {option}}} commands to uninstall plugin instances or configure webhook connections. This flaw enables a non‑admin user to execute privileged configuration operations, potentially compromising the integrity of the Mattermost environment and its integrations with external services. The weakness corresponds to CWE‑862, Missing Authorization.

The affected product is the Mattermost GitLab plugin. All released plugin versions numbered 11.5 and below, 11.1.5, 10.13.11, and 11.3.4.0 are vulnerable. These plugins are used by Mattermost teams to integrate with GitLab services and manage webhooks.

The CVSS score of 6.5 indicates medium severity. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires a user with access to the Mattermost interface; the attacker must be authenticated but does not need administrative rights. Once a command is issued, the attacker can remove plugin instances or set up new webhooks, thereby degrading service availability and potentially exposing webhook traffic to unauthorized endpoints. Because the exploit involves user‑initiated commands, the attack vector is local through the Mattermost UI, but the impact is significant if used to disrupt external GitLab integrations.