Description
Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to enforce administrator authorization on the {{setDefaultInstance}} call within the {{/gitlab connect}} command handler, which allows any authenticated user to overwrite the global default GitLab instance configuration via the {{/gitlab connect <instance-name>}} slash command.. Mattermost Advisory ID: MMSA-2026-00644
Published: 2026-06-22
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Mattermost fails to enforce administrator authorization when users invoke the /gitlab connect command, allowing any authenticated user to overwrite the global default GitLab instance configuration. The resulting misconfiguration could redirect the integration to malicious or unintended GitLab instances, potentially exposing organizational data or compromising the integration flow.

Affected Systems

The vulnerability is present in Mattermost versions 11.7.x up to 11.7.0, 11.6.x up to 11.6.2, 11.5.x up to 11.5.5, 10.11.x up to 10.11.17 and all earlier releases in those series. These versions allow the abuse of the setDefaultInstance call within the /gitlab connect command handler.

Risk and Exploitability

The CVSS score of 5.4 puts the issue in the medium severity range. EPSS information is not available and the vulnerability is not listed in CISA's KEV catalog, indicating no confirmed exploitation yet. The likely attack path requires an authenticated user to send a slash command, which is readily available to any Mattermost member, making the vulnerability easy to exploit under normal user conditions.

Generated by OpenCVE AI on June 22, 2026 at 15:06 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.8.0, 11.7.1, 11.6.3, 11.5.6, 10.11.18 or higher.


OpenCVE Recommended Actions

  • Update Mattermost to the latest released version—such as 11.8.0, 11.7.1, 11.6.3, 11.5.6, or 10.11.18 or newer—to apply the proper authorization check that fixes the CWE‑862 flaw.
  • If a patch cannot be applied immediately, configure the Mattermost slash command system to restrict the /gitlab connect command so that only users with administrator privileges can run it, or disable the command entirely as a temporary safeguard against this authorization bypass.
  • After applying the update or workaround, verify the default GitLab instance configuration, review audit logs for unauthorized usage of the /gitlab connect command, and document any changes detected.

Generated by OpenCVE AI on June 22, 2026 at 15:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
History

Mon, 22 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Mon, 22 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to enforce administrator authorization on the {{setDefaultInstance}} call within the {{/gitlab connect}} command handler, which allows any authenticated user to overwrite the global default GitLab instance configuration via the {{/gitlab connect <instance-name>}} slash command.. Mattermost Advisory ID: MMSA-2026-00644
Title GitLab Plugin Allows Non-Admin Users to Modify Default Instance Configuration
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}


Subscriptions

Mattermost Mattermost
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-06-22T15:39:29.821Z

Reserved: 2026-03-30T11:29:16.698Z

Link: CVE-2026-5139

cve-icon Vulnrichment

Updated: 2026-06-22T15:39:22.950Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T15:45:03Z

Weaknesses