Description
Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to enforce administrator authorization on the {{setDefaultInstance}} call within the {{/gitlab connect}} command handler, which allows any authenticated user to overwrite the global default GitLab instance configuration via the {{/gitlab connect <instance-name>}} slash command.. Mattermost Advisory ID: MMSA-2026-00644
Published: 2026-06-22
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

No analysis available yet.

Remediation

Vendor Solution

Update Mattermost to versions 11.8.0, 11.7.1, 11.6.3, 11.5.6, 10.11.18 or higher.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://mattermost.com/security-updates cve-icon
History

Mon, 22 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to enforce administrator authorization on the {{setDefaultInstance}} call within the {{/gitlab connect}} command handler, which allows any authenticated user to overwrite the global default GitLab instance configuration via the {{/gitlab connect <instance-name>}} slash command.. Mattermost Advisory ID: MMSA-2026-00644
Title GitLab Plugin Allows Non-Admin Users to Modify Default Instance Configuration
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-06-22T13:34:21.247Z

Reserved: 2026-03-30T11:29:16.698Z

Link: CVE-2026-5139

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses