PatchSiren cyber security CVE debrief
CVE-2026-3117 Mattermost CVE debrief
A missing authorization check in the Mattermost GitLab plugin allows authenticated users to perform administrative actions. The vulnerability exists in the plugin's command handlers for `gitlab instance` and `/gitlab webhook` commands, which fail to verify that the invoking user has appropriate permissions before executing instance uninstallation or webhook configuration operations. This represents a classic privilege escalation via missing function-level access control (CWE-862). The affected versions span multiple release branches: 11.5 and earlier, 11.1.5 and earlier, 10.13.11 and earlier, and 11.3.4.0 and earlier. The CVSS 3.1 vector indicates network attack vector, low attack complexity, low privileges required, no user interaction, and high availability impact—consistent with an authenticated user being able to disrupt service by uninstalling GitLab instances or reconfiguring webhooks. Organizations using the Mattermost GitLab plugin should prioritize updating to patched versions and review audit logs for unauthorized command usage.
- Vendor
- Mattermost
- Product
- Unknown
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-18
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-18
- Advisory updated
- 2026-05-18
Who should care
Organizations running Mattermost with the GitLab plugin enabled, particularly those with large user bases where low-privileged users have access to slash commands. Security teams responsible for collaboration platform hardening and plugin security governance.
Technical summary
The Mattermost GitLab plugin's command processing logic lacks proper permission validation for administrative operations. Specifically, the `gitlab instance` command handler permits instance uninstallation without verifying administrator privileges, and the `/gitlab webhook` command handler allows webhook connection setup without appropriate access control checks. The vulnerability affects plugin versions bundled with Mattermost server releases 11.5, 11.1.5, 10.13.11, 11.3.4.0 and earlier. Exploitation requires authenticated network access with low-privileged user credentials. Successful exploitation can result in denial of service through GitLab instance removal or unauthorized webhook configuration that may disrupt integrations.
Defensive priority
medium
Recommended defensive actions
- Upgrade Mattermost GitLab plugin to a version containing the fix for MMSA-2026-00600
- Review Mattermost audit logs for unauthorized use of `gitlab instance` or `/gitlab webhook` commands by non-administrative users
- Verify that plugin command handlers enforce role-based access controls appropriate to the operation's sensitivity
- Consider implementing additional command-level logging for GitLab plugin administrative functions pending patch deployment
Evidence notes
CVE description confirms permission check failure in GitLab plugin commands. CVSS vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H aligns with authenticated disruption scenario. Mattermost advisory ID MMSA-2026-00600 cited in source. CWE-862 (Missing Authorization) identified in NVD weakness data.
Official resources
-
CVE-2026-3117 CVE record
CVE.org
-
CVE-2026-3117 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-18