CVE-2026-3108: Mattermost allows attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences

March 26, 2026 (updated March 31, 2026)

Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to sanitize user-controlled post content in the mmctl commands terminal output which allows attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences that enable screen manipulation, fake prompts, and clipboard hijacking. Mattermost Advisory ID: MMSA-2026-00599.

References

github.com/advisories/GHSA-3439-vqgj-2gcf
github.com/mattermost/mattermost
mattermost.com/security-updates
nvd.nist.gov/vuln/detail/CVE-2026-3108

Code Behaviors & Features

Detect and mitigate CVE-2026-3108 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →