CVE-2026-3108
Published: 26 March 2026
Summary
CVE-2026-3108 is a high-severity Improper Neutralization of Escape, Meta, or Control Sequences (CWE-150) vulnerability in Mattermost Mattermost Server. Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 4.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-15 directly requires filtering of terminal output to neutralize ANSI and OSC escape sequences in user-controlled post content from mmctl commands, preventing screen manipulation, fake prompts, and clipboard hijacking.
SI-2 mandates timely flaw remediation by applying Mattermost patches from advisory MMSA-2026-00599 to fix the output sanitization vulnerability in affected versions.
SI-10 enforces validation of user-controlled post inputs to restrict or neutralize escape sequences before they reach mmctl terminal output.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unsanitized post content allows ANSI/OSC escape injection into mmctl terminal output, directly enabling fake prompts (T1141 Input Prompt) for credential/input capture, clipboard manipulation via OSC sequences (T1115 Clipboard Data), and tricking administrators into executing commands in Unix shell (T1059.004 Unix Shell).
NVD Description
Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to sanitize user-controlled post content in the mmctl commands terminal output which allows attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC…
more
escape sequences that enable screen manipulation, fake prompts, and clipboard hijacking.. Mattermost Advisory ID: MMSA-2026-00599
Deeper analysisAI
CVE-2026-3108 affects Mattermost versions 11.2.x up to and including 11.2.2, 10.11.x up to and including 10.11.10, 11.4.x up to and including 11.4.0, and 11.3.x up to and including 11.3.1. The vulnerability stems from a failure to sanitize user-controlled post content in the terminal output of mmctl commands. This allows attackers to inject crafted messages containing ANSI and OSC escape sequences, enabling manipulation of administrator terminals through screen control, fake prompts, and clipboard hijacking. The issue is classified under CWE-150 (Improper Neutralization of Escape, Meta, or Control Sequences) with a CVSS v3.1 base score of 8.0 (AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H).
Exploitation requires an attacker with low privileges (PR:L), such as an authenticated user, to craft a malicious post that an administrator views via mmctl command output in a terminal. The attack is network-accessible (AV:N) but demands high attack complexity (AC:H) and user interaction (UI:R) from the administrator running the command. Successful exploitation grants high-impact privileges across confidentiality, integrity, and availability (C:I:A:H) with a scope change (S:C), allowing terminal takeover on the administrator's system.
For mitigation details, refer to Mattermost Advisory MMSA-2026-00599 available at https://mattermost.com/security-updates.
Details
- CWE(s)