Home

Description

Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to enforce administrator authorization on the {{setDefaultInstance}} call within the {{/gitlab connect}} command handler, which allows any authenticated user to overwrite the global default GitLab instance configuration via the {{/gitlab connect <instance-name>}} slash command.. Mattermost Advisory ID: MMSA-2026-00644

PUBLISHED Reserved 2026-03-30 | Published 2026-06-22 | Updated 2026-06-22 | Assigner Mattermost




MEDIUM: 5.4CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Problem types

CWE-862: Missing Authorization

Product status

Default status
unaffected

11.7.0 (semver)
affected

11.6.0 (semver)
affected

11.5.0 (semver)
affected

10.11.0 (semver)
affected

11.8.0
unaffected

11.7.1
unaffected

11.6.3
unaffected

11.5.6
unaffected

10.11.18
unaffected

Credits

hunterxluxhug finder

References

mattermost.com/security-updates (MMSA-2026-00644) vendor-advisory

cve.org (CVE-2026-5139)

nvd.nist.gov (CVE-2026-5139)

Download JSON