CVE-2026-5139

Description

Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to enforce administrator authorization on the { {setDefaultInstance} } call within the { {/gitlab connect} } command handler, which allows any authenticated user to overwrite the global default GitLab instance configuration via the { {/gitlab connect <instance-name>} } slash command.. Mattermost Advisory ID: MMSA-2026-00644

References

• https://mattermost.com/security-updates