CVE-2026-3117

MEDIUM

Instance and webhook GitLab plugin commands were able to be run by non-admin users

Title source: cna
STIX 2.1

Description

Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to properly check for permissions when processing commands in the Gitlab plugin which allows normal users to uninstall instances or setup webhook connections via the {{gitlab instance {option}}} or the {{/gitlab webhook {option}}} commands. Mattermost Advisory ID: MMSA-2026-00600

References (1)

Core 1
Core References
Vendor Advisory vendor-advisory
MMSA-2026-00600
https://mattermost.com/security-updates

Scores

CVSS v3 6.5
EPSS 0.0003
EPSS Percentile 10.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-862
Status published
Products (7)
Mattermost/Mattermost < 10.13.11
Mattermost/Mattermost < 11.1.5
Mattermost/Mattermost < 11.3.4
Mattermost/Mattermost 10.11.14
Mattermost/Mattermost 11.4.4
Mattermost/Mattermost 11.5.2
Mattermost/Mattermost 11.6.0
Published May 18, 2026
Tracked Since May 18, 2026