CVE-2026-5139 · Symaro Security Advisory

Description

Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to enforce administrator authorization on the {{setDefaultInstance}} call within the {{/gitlab connect}} command handler, which allows any authenticated user to overwrite the global default GitLab instance configuration via the {{/gitlab connect }} slash command.. Mattermost Advisory ID: MMSA-2026-00644

Severity (CVSS)

Base score	5.4
Severity	Medium
Version	CVSS 3.1
Vector	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Provided by	CNA

Weaknesses

CWE-862 — CWE-862: Missing Authorization

Affected products

Vendor	Product	Versions
Mattermost	Mattermost	11.7.0 to <=11.7.0; 11.6.0 to <=11.6.2; 11.5.0 to <=11.5.5; 10.11.0 to <=10.11.17; 11.8.0; 11.7.1; 11.6.3; 11.5.6; 10.11.18

References

https://mattermost.com/security-updates (vendor-advisory)

Authoritative sources

This page is a snapshot. For the latest enrichment and updates, view the record on CVE.org or the NVD.

Generated from the official CVE List on 22 Jun 2026 14:43 UTC.