Mattermost mmctl Terminal Injection Vulnerability (CVE-2026-3108)
Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 are vulnerable to terminal injection, allowing attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences.
CVE-2026-3108 affects Mattermost servers using the mmctl command-line tool. This vulnerability, disclosed in March 2026, stems from a failure to properly sanitize user-controlled post content within the terminal output of mmctl commands. Specifically, versions 11.2.x up to 11.2.2, 10.11.x up to 10.11.10, 11.4.x up to 11.4.0, and 11.3.x up to 11.3.1 are susceptible. An attacker leveraging this flaw can inject ANSI and OSC escape sequences into administrator terminals. These sequences enable…
Detection coverage 2
Detect Suspicious ANSI Escape Sequences in Mattermost Logs
mediumDetects the presence of ANSI escape sequences in Mattermost logs, potentially indicating an attempt to exploit CVE-2026-3108.
Detect OSC Escape Sequences in Mattermost Logs
highDetects the presence of OSC escape sequences (used for clipboard manipulation) in Mattermost logs, potentially indicating an attempt to exploit CVE-2026-3108.
Detection queries are kept inside the platform. Get full rules →