CVE-2026-5139 Overview
CVE-2026-5139 is a missing authorization vulnerability [CWE-862] in Mattermost Server. The flaw resides in the /gitlab connect slash command handler, which fails to enforce administrator authorization on the setDefaultInstance call. Any authenticated user can overwrite the global default GitLab instance configuration by issuing /gitlab connect <instance-name>. The issue affects Mattermost versions 11.7.x through 11.7.0, 11.6.x through 11.6.2, 11.5.x through 11.5.5, and 10.11.x through 10.11.17. Mattermost tracks the issue under advisory ID MMSA-2026-00644.
Critical Impact
Authenticated low-privilege users can tamper with the server-wide default GitLab instance configuration, redirecting integration behavior for all users on the Mattermost workspace.
Affected Products
- Mattermost Server 11.7.x (versions 11.7.0 and earlier in the branch)
- Mattermost Server 11.6.x (versions up to and including 11.6.2) and 11.5.x (up to 11.5.5)
- Mattermost Server 10.11.x (versions up to and including 10.11.17)
Discovery Timeline
- 2026-06-22 - CVE-2026-5139 published to NVD
- 2026-06-23 - Last updated in NVD database
Technical Details for CVE-2026-5139
Vulnerability Analysis
The vulnerability stems from a missing authorization check on a privileged configuration operation. Mattermost exposes a /gitlab connect slash command that lets users link a personal GitLab account to their Mattermost identity. Within the command handler, the server also invokes setDefaultInstance, an operation intended for administrators that designates which GitLab instance is the workspace-wide default. Because the handler never verifies the caller's role before reaching setDefaultInstance, any authenticated user can change the global default GitLab instance for the entire server. The behavior maps to CWE-862 (Missing Authorization) and impacts the integrity and availability of the integration configuration.
Root Cause
The handler conflates user-scoped account linking with server-scoped configuration. The setDefaultInstance code path requires an administrator role check, but the /gitlab connect <instance-name> flow calls it without first validating that the invoking user holds the system_admin role. The result is broken access control on a configuration mutation that should be restricted.
Attack Vector
The attack requires network access to Mattermost and a valid, low-privilege user account. The attacker issues the slash command /gitlab connect <instance-name> from any channel where slash commands are permitted. The command handler executes setDefaultInstance with the attacker-supplied instance name and persists the change at the workspace level. Subsequent GitLab integration operations performed by other users may then resolve against the attacker-chosen default instance, enabling integration disruption or rerouting of integration flows to an unintended GitLab endpoint.
No verified public exploit code is available. The mechanics are documented in the Mattermost Security Updates advisory MMSA-2026-00644.
Detection Methods for CVE-2026-5139
Indicators of Compromise
- Audit log entries showing /gitlab connect slash command invocations followed by changes to the GitLab plugin's default instance configuration.
- Unexpected modifications to the mattermost-plugin-gitlab plugin configuration, particularly the default instance value, performed by non-administrator accounts.
- GitLab integration calls resolving to an unfamiliar or attacker-controlled instance hostname.
Detection Strategies
- Correlate slash command audit events with configuration write events on the GitLab plugin, alerting when a non-admin user identifier precedes a default-instance change.
- Baseline the configured default GitLab instance value and alert on any deviation outside scheduled administrative change windows.
- Review Mattermost plugin configuration history for setDefaultInstance mutations and validate that each change ties back to a system_admin user.
Monitoring Recommendations
- Forward Mattermost audit and plugin logs to a centralized SIEM with retention sufficient to investigate post-disclosure activity.
- Monitor outbound traffic from Mattermost to GitLab endpoints and flag connections to instance hostnames not on an approved allowlist.
- Track the frequency of /gitlab connect invocations per user and alert on abnormal spikes from non-administrative accounts.
How to Mitigate CVE-2026-5139
Immediate Actions Required
- Upgrade Mattermost Server to a version above the affected ranges: beyond 11.7.0 on the 11.7.x branch, 11.6.2 on 11.6.x, 11.5.5 on 11.5.5, and 10.11.17 on 10.11.x.
- Audit the current GitLab plugin configuration and confirm the default instance value matches the administrator-approved setting.
- Review recent /gitlab connect slash command activity and roll back any unauthorized default-instance changes.
Patch Information
Mattermost has published fixed releases through the Mattermost Security Updates portal under advisory MMSA-2026-00644. Apply the vendor-supplied patch corresponding to your current release branch and restart the Mattermost server to ensure the updated handler enforces the administrator check on setDefaultInstance.
Workarounds
- Disable the GitLab plugin until patched versions are deployed, preventing exposure of the vulnerable /gitlab connect handler.
- Restrict slash command usage at the team or channel level for non-administrator roles where operationally feasible.
- Limit network egress from the Mattermost server to an allowlist of approved GitLab instances to contain the impact of an unauthorized default-instance change.
# Disable the GitLab plugin via Mattermost CLI as a temporary workaround
mattermost plugin disable com.github.manland.mattermost-plugin-gitlab
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

