CVE-2026-3117
Description
Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to properly check for permissions when processing commands in the Gitlab plugin which allows normal users to uninstall instances or setup webhook connections via the {{gitlab instance {option}}} or the {{/gitlab webhook {option}}} commands. Mattermost Advisory ID: MMSA-2026-00600
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Mattermost GitLab plugin fails to enforce permissions, allowing normal users to uninstall instances or set up webhooks via commands.
The Mattermost GitLab plugin in versions <=11.5, 11.1.5, 10.13.11, 11.3.4.0 lacks proper permission checks when processing certain commands. Specifically, the {{gitlab instance {option}}} and {{/gitlab webhook {option}}} commands do not verify that the requesting user has administrative privileges, allowing any authenticated user to execute these actions. This vulnerability is identified as MMSA-2026-00600 [1].
To exploit this flaw, an attacker only needs a standard user account on a Mattermost server with the GitLab plugin enabled. The attacker can then send the vulnerable commands through the chat interface without any additional authentication or special network access. The commands are normally restricted to admins, but the missing permission check makes them accessible to all users.
Successful exploitation enables a normal user to uninstall GitLab instances or set up webhook connections. Uninstalling instances can break integrations and cause denial of service, while unauthorized webhooks could be used to exfiltrate data or perform further attacks. The impact is confined to the GitLab plugin but can disrupt Mattermost operations.
Mattermost has released a security advisory for this issue [1]. Users should upgrade to patched versions of the GitLab plugin to mitigate the risk. The fix involves implementing proper authorization checks for the affected commands. Administrators should monitor Mattermost's security updates page for the latest details [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=11.5, <=11.1.5, <=10.13.11, <=11.3.4.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
43- ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and MoreThe Hacker News · May 18, 2026
- ‘Claw Chain’ OpenClaw Flaws Allow Sandbox Escape, Backdoor DeliverySecurityWeek · May 18, 2026
- Frequently asked questions about the continued exploitation of Cisco Catalyst SD-WAN vulnerabilities (CVE-2026-20182)Tenable Blog · May 15, 2026
- Fragnesia (CVE-2026-46300): Frequently asked questions about new Linux Kernel XFRM ESP-in-TCP privilege escalationTenable Blog · May 14, 2026
- Wordfence Intelligence Weekly WordPress Vulnerability Report (May 4, 2026 to May 10, 2026)Wordfence Blog · May 14, 2026
- Mustang Panda Linked to Updated FDMTP Backdoor in Asia-Pacific Espionage CampaignInfosecurity Magazine · May 14, 2026
- Akamai to Acquire AI and Browser Security Firm LayerX for $205 MillionSecurityWeek · May 14, 2026
- Chinese APTs Expand Targets, Update Backdoors in Recent CampaignsSecurityWeek · May 14, 2026
- Patch Tuesday - May 2026Rapid7 Blog · May 13, 2026
- Microsoft’s May 2026 Patch Tuesday Addresses 118 CVEs (CVE-2026-41103)Tenable Blog · May 12, 2026
- Checkmarx tackles another TeamPCP intrusion as Jenkins plugin sabotagedThe Register Security · May 11, 2026
- Checkmarx tackles another TeamPCP intrusion as Jenkins plugin sabotagedThe Register Security · May 11, 2026
- Dirty Frag (CVE-2026-43284, CVE-2026-43500): Frequently asked questions about this Linux kernel privilege escalation vulnerability chainTenable Blog · May 8, 2026
- Why the approaching flood of vulnerabilities changes everything — and what to do about itTenable Blog · May 8, 2026
- Australian Cyber Security Centre Issues Alert Over ClickFix AttacksInfosecurity Magazine · May 8, 2026
- Wordfence Intelligence Weekly WordPress Vulnerability Report (April 27, 2026 to May 3, 2026)Wordfence Blog · May 7, 2026
- Australia warns of ClickFix attacks pushing Vidar Stealer malwareBleepingComputer · May 7, 2026
- PyPI Packages Deliver ZiChatBot Malware via Zulip APIs on Windows and LinuxThe Hacker News · May 7, 2026
- Windows Phone Link Exploited by CloudZ RAT to Steal Credentials and OTPsThe Hacker News · May 6, 2026
- CloudZ RAT potentially steals OTP messages using Pheno pluginCisco Talos Intelligence · May 5, 2026
- Security for AI: A strategic framework for closing the AI exposure gapTenable Blog · May 4, 2026
- Wordfence Intelligence Weekly WordPress Vulnerability Report (April 20, 2026 to April 26, 2026)Wordfence Blog · Apr 30, 2026
- Copy Fail (CVE-2026-31431): Frequently asked questions about Linux kernel privilege escalation vulnerabilityTenable Blog · Apr 30, 2026
- Silver Fox uses the new ABCDoor backdoor to target organizations in Russia and IndiaSecurelist · Apr 30, 2026
- Ongoing supply-chain attack 'explicitly targeting' security, dev toolsThe Register Security · Apr 27, 2026
- Ongoing supply-chain attack 'explicitly targeting' security, dev toolsThe Register Security · Apr 27, 2026
- Checkmarx Confirms GitHub Repository Data Posted on Dark Web After March 23 AttackThe Hacker News · Apr 27, 2026
- LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of DisclosureThe Hacker News · Apr 24, 2026
- Wordfence Intelligence Weekly WordPress Vulnerability Report (April 13, 2026 to April 19, 2026)Wordfence Blog · Apr 23, 2026
- Oracle April 2026 Critical Patch Update Addresses 241 CVEsTenable Blog · Apr 21, 2026
- 20th April – Threat Intelligence ReportCheck Point Research · Apr 20, 2026
- Orchestrating AI Code Review at scaleCloudflare Blog · Apr 20, 2026
- Attackers Actively Exploiting Critical Vulnerability in Ninja Forms – File Upload PluginWordfence Blog · Apr 16, 2026
- Wordfence Intelligence Weekly WordPress Vulnerability Report (April 6, 2026 to April 12, 2026)Wordfence Blog · Apr 16, 2026
- ZDI-26-259: (0Day) Docker Desktop cli-plugins Incorrect Permission Assignment Local Privilege Escalation VulnerabilityZero Day Initiative · Apr 15, 2026
- 13th April – Threat Intelligence ReportCheck Point Research · Apr 13, 2026
- Wordfence Intelligence Weekly WordPress Vulnerability Report (March 30, 2026 to April 5, 2026)Wordfence Blog · Apr 9, 2026
- Wordfence Intelligence Weekly WordPress Vulnerability Report (March 23, 2026 to March 29, 2026)Wordfence Blog · Apr 2, 2026
- AI Threat Landscape Digest January-February 2026Check Point Research · Mar 29, 2026
- Experts Sound Alarm Over “Prompt Poaching” Browser ExtensionsInfosecurity Magazine · Mar 25, 2026
- Risky Business #830 -- LiteLLM and security scanner supply chains compromisedRisky Business · Mar 25, 2026
- Sednit reloaded: Back in the trenchesESET WeLiveSecurity · Mar 10, 2026
- ZDI-26-152: Docker Desktop Docker Plugins Uncontrolled Search Path Element Local Privilege Escalation VulnerabilityZero Day Initiative · Mar 6, 2026