CVE-2026-5139
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk7th percentile — higher than 7% of all known CVEs
Summary
Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, and 10.11.x <= 10.11.17 fail to enforce administrator authorization on the {{setDefaultInstance}} call within the {{/gitlab connect}} command handler, allowing any authenticated user to overwrite the global default GitLab instance configuration via the {{/gitlab connect <instance-name>}} slash command.
Risk Assessment
The lack of proper authorization may lead to unauthorized changes in GitLab configuration, jeopardizing the integrity of the system and the organization's data.
Recommendation
It is recommended to update Mattermost to the latest version to ensure proper administrator authorization and minimize the risk associated with this vulnerability.
Original NVD description (English source)
Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to enforce administrator authorization on the {{setDefaultInstance}} call within the {{/gitlab connect}} command handler, which allows any authenticated user to overwrite the global default GitLab instance configuration via the {{/gitlab connect <instance-name>}} slash command.. Mattermost Advisory ID: MMSA-2026-00644

