Improper Authorization in Mattermost Allows Unauthorized Configuration Changes
CVE-2026-5139

5.4MEDIUM

Key Information:

Vendor: Mattermost
Status: Mattermost
Vendor: CVE Published:; 22 June 2026

What is CVE-2026-5139?

Mattermost versions 11.7.x prior to 11.7.0, 11.6.x prior to 11.6.2, 11.5.x prior to 11.5.5, and 10.11.x prior to 10.11.17 possess a vulnerability that fails to enforce proper administrator authorization within the {{setDefaultInstance}} call of the {{/gitlab connect}} command handler. This oversight permits any authenticated user to alter the global default GitLab instance configuration simply by utilizing the {{/gitlab connect }} slash command, potentially compromising system integrity. For more information, refer to the Mattermost security advisory.

Affected Version(s)

Mattermost 11.7.0

Mattermost 11.6.0 <= 11.6.2

Mattermost 11.5.0 <= 11.5.5

References

https://mattermost.com/security-updates

vendor-advisory

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
Mar 30, 2026

Credit

hunterxluxhug

CVE-2026-5139 Data

JSON