Mattermost Gitlab Plugin Permissions Bypass CVE-2026-3117 (10.13.11-11.5)
CVE-2026-3117 Published on May 18, 2026
Instance and webhook GitLab plugin commands were able to be run by non-admin users
Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to properly check for permissions when processing commands in the Gitlab plugin which allows normal users to uninstall instances or setup webhook connections via the {{gitlab instance {option}}} or the {{/gitlab webhook {option}}} commands. Mattermost Advisory ID: MMSA-2026-00600
Vulnerability Analysis
CVE-2026-3117 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Weakness Type
What is an AuthZ Vulnerability?
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2026-3117 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2026-3117
Want to know whenever a new CVE is published for MatterMost? stack.watch will email you.
Affected Versions
Mattermost:- Before and including 11.1.5 is affected.
- Before and including 10.13.11 is affected.
- Before and including 11.3.4 is affected.
- Version 11.6.0 is unaffected.
- Version 11.5.2 is unaffected.
- Version 10.11.14 is unaffected.
- Version 11.4.4 is unaffected.