Search
Find a vulnerability
Search criteria
884 vulnerabilities found for mattermost_server by mattermost
CVE-2026-4339 (GCVE-0-2026-4339)
Vulnerability from nvd – Published: 2026-06-26 14:44 – Updated: 2026-06-26 15:40
VLAI
Title
SSRF via unvalidated attachment URLs in Mattermost Agents plugin MCP server
Summary
Mattermost versions 10.11.x <= 10.11.18, 11.6.x <= 11.6.3, 11.5.x <= 11.5.6 fail to validate attachment URLs against internal or private IP ranges in the Mattermost Agents plugin MCP server which allows an attacker with access to the MCP server in stdio mode to perform server-side request forgery (SSRF) and exfiltrate data from internal network services via supplying internal URLs as file attachments in post creation requests.. Mattermost Advisory ID: MMSA-2026-00635
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
10.11.0 , ≤ 10.11.18
(semver)
Affected: 11.6.0 , ≤ 11.6.3 (semver) Affected: 11.5.0 , ≤ 11.5.6 (semver) Unaffected: 11.7.0 Unaffected: 10.11.19 Unaffected: 11.6.4 Unaffected: 11.5.7 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4339",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T15:40:26.600436Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T15:40:33.300Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "10.11.18",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.6.3",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.5.6",
"status": "affected",
"version": "11.5.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.7.0"
},
{
"status": "unaffected",
"version": "10.11.19"
},
{
"status": "unaffected",
"version": "11.6.4"
},
{
"status": "unaffected",
"version": "11.5.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "s00me00ne"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 10.11.x \u003c= 10.11.18, 11.6.x \u003c= 11.6.3, 11.5.x \u003c= 11.5.6 fail to validate attachment URLs against internal or private IP ranges in the Mattermost Agents plugin MCP server which allows an attacker with access to the MCP server in stdio mode to perform server-side request forgery (SSRF) and exfiltrate data from internal network services via supplying internal URLs as file attachments in post creation requests.. Mattermost Advisory ID: MMSA-2026-00635"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T14:44:58.655Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00635",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.7.0, 10.11.19, 11.6.4, 11.5.7 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00635",
"defect": [
"https://mattermost.atlassian.net/browse/MM-67950"
],
"discovery": "EXTERNAL"
},
"title": "SSRF via unvalidated attachment URLs in Mattermost Agents plugin MCP server",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-4339",
"datePublished": "2026-06-26T14:44:58.655Z",
"dateReserved": "2026-03-17T14:57:10.575Z",
"dateUpdated": "2026-06-26T15:40:33.300Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3472 (GCVE-0-2026-3472)
Vulnerability from nvd – Published: 2026-06-26 14:42 – Updated: 2026-06-26 15:41
VLAI
Title
Markdown image rendering bypass in AI bot tool result posts in Mattermost
Summary
Mattermost versions 10.11.x <= 10.11.18, 11.6.x <= 11.6.3, 11.5.x <= 11.5.6 fail to properly apply markdown image rendering restrictions to AI bot tool result posts, which allows an authenticated attacker to exfiltrate data to an attacker-controlled server via injecting markdown image syntax into tool result content rendered by a victim's client.. Mattermost Advisory ID: MMSA-2026-00619
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-693 - Protection Mechanism Failure
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
10.11.0 , ≤ 10.11.18
(semver)
Affected: 11.6.0 , ≤ 11.6.3 (semver) Affected: 11.5.0 , ≤ 11.5.6 (semver) Unaffected: 11.7.0 Unaffected: 10.11.19 Unaffected: 11.6.4 Unaffected: 11.5.7 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3472",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T15:41:02.864491Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T15:41:09.780Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "10.11.18",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.6.3",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.5.6",
"status": "affected",
"version": "11.5.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.7.0"
},
{
"status": "unaffected",
"version": "10.11.19"
},
{
"status": "unaffected",
"version": "11.6.4"
},
{
"status": "unaffected",
"version": "11.5.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juho Fors\u00e9n"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 10.11.x \u003c= 10.11.18, 11.6.x \u003c= 11.6.3, 11.5.x \u003c= 11.5.6 fail to properly apply markdown image rendering restrictions to AI bot tool result posts, which allows an authenticated attacker to exfiltrate data to an attacker-controlled server via injecting markdown image syntax into tool result content rendered by a victim\u0027s client.. Mattermost Advisory ID: MMSA-2026-00619"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693: Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T14:42:24.154Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00619",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.7.0, 10.11.19, 11.6.4, 11.5.7 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00619",
"defect": [
"https://mattermost.atlassian.net/browse/MM-67751"
],
"discovery": "{\"self\"=\u003e\"https://mattermost.atlassian.net/rest/api/2/customFieldOption/10557\", \"value\"=\u003e\"Internal\", \"id\"=\u003e\"10557\"}"
},
"title": "Markdown image rendering bypass in AI bot tool result posts in Mattermost",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-3472",
"datePublished": "2026-06-26T14:42:24.154Z",
"dateReserved": "2026-03-03T11:25:53.785Z",
"dateUpdated": "2026-06-26T15:41:09.780Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8823 (GCVE-0-2026-8823)
Vulnerability from nvd – Published: 2026-06-22 13:41 – Updated: 2026-06-22 16:12
VLAI
Title
User Manager can demote bot accounts to guest without bot-management permission
Summary
Mattermost versions 11.7.x <= 11.7.0, 10.11.x <= 10.11.17 fail to validate bot targets when demoting users to guests which allows a lower-privileged administrator to degrade arbitrary bot accounts via the standard demote-user API.. Mattermost Advisory ID: MMSA-2026-00669
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
11.7.0 , ≤ 11.7.0
(semver)
Affected: 10.11.0 , ≤ 10.11.17 (semver) Unaffected: 11.8.0 Unaffected: 11.7.1 Unaffected: 10.11.18 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8823",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T16:12:21.701325Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T16:12:31.350Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.7.0",
"status": "affected",
"version": "11.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.17",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.8.0"
},
{
"status": "unaffected",
"version": "11.7.1"
},
{
"status": "unaffected",
"version": "10.11.18"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Edgar Bellot Mic\u00f3"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 11.7.x \u003c= 11.7.0, 10.11.x \u003c= 10.11.17 fail to validate bot targets when demoting users to guests which allows a lower-privileged administrator to degrade arbitrary bot accounts via the standard demote-user API.. Mattermost Advisory ID: MMSA-2026-00669"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T13:41:28.404Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00669",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.8.0, 11.7.1, 10.11.18 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00669",
"defect": [
"https://mattermost.atlassian.net/browse/MM-68700"
],
"discovery": "{\"self\"=\u003e\"https://mattermost.atlassian.net/rest/api/2/customFieldOption/10557\", \"value\"=\u003e\"Internal\", \"id\"=\u003e\"10557\"}"
},
"title": "User Manager can demote bot accounts to guest without bot-management permission",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-8823",
"datePublished": "2026-06-22T13:41:28.404Z",
"dateReserved": "2026-05-18T10:05:31.691Z",
"dateUpdated": "2026-06-22T16:12:31.350Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9162 (GCVE-0-2026-9162)
Vulnerability from nvd – Published: 2026-06-22 13:36 – Updated: 2026-06-22 15:40
VLAI
Title
Global session revocation does not invalidate active WebSocket connections
Summary
Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to invalidate cached authentication state for active WebSocket connections during global session revocation, which allows a user with an existing WebSocket connection to remain authenticated and continue receiving real-time events until the cached session expires or the client reconnects.. Mattermost Advisory ID: MMSA-2026-00664
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
11.7.0 , ≤ 11.7.0
(semver)
Affected: 11.6.0 , ≤ 11.6.2 (semver) Affected: 11.5.0 , ≤ 11.5.5 (semver) Affected: 10.11.0 , ≤ 10.11.17 (semver) Unaffected: 11.8.0 Unaffected: 11.7.1 Unaffected: 11.6.3 Unaffected: 11.5.6 Unaffected: 10.11.18 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9162",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T15:39:54.095237Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T15:40:07.851Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.7.0",
"status": "affected",
"version": "11.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.6.2",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.5.5",
"status": "affected",
"version": "11.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.17",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.8.0"
},
{
"status": "unaffected",
"version": "11.7.1"
},
{
"status": "unaffected",
"version": "11.6.3"
},
{
"status": "unaffected",
"version": "11.5.6"
},
{
"status": "unaffected",
"version": "10.11.18"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "winfunc"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 11.7.x \u003c= 11.7.0, 11.6.x \u003c= 11.6.2, 11.5.x \u003c= 11.5.5, 10.11.x \u003c= 10.11.17 fail to invalidate cached authentication state for active WebSocket connections during global session revocation, which allows a user with an existing WebSocket connection to remain authenticated and continue receiving real-time events until the cached session expires or the client reconnects.. Mattermost Advisory ID: MMSA-2026-00664"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T13:36:43.998Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00664",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.8.0, 11.7.1, 11.6.3, 11.5.6, 10.11.18 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00664",
"defect": [
"https://mattermost.atlassian.net/browse/MM-68542"
],
"discovery": "EXTERNAL"
},
"title": "Global session revocation does not invalidate active WebSocket connections",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-9162",
"datePublished": "2026-06-22T13:36:43.998Z",
"dateReserved": "2026-05-21T11:17:28.560Z",
"dateUpdated": "2026-06-22T15:40:07.851Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8074 (GCVE-0-2026-8074)
Vulnerability from nvd – Published: 2026-06-22 13:37 – Updated: 2026-06-22 15:40
VLAI
Title
Improper Permission Check Allows User Manager to Deactivate Bot Accounts
Summary
Mattermost versions 11.7.x <= 11.7.0, 10.11.x <= 10.11.17 fail to enforce bot-specific permission checks on the user active status endpoint, which allows a User Manager with user management write access but no Integrations access to deactivate bot accounts via the PUT /api/v4/users/{id}/active API endpoint.. Mattermost Advisory ID: MMSA-2026-00667
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
11.7.0 , ≤ 11.7.0
(semver)
Affected: 10.11.0 , ≤ 10.11.17 (semver) Unaffected: 11.8.0 Unaffected: 11.7.1 Unaffected: 10.11.18 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8074",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T15:40:23.411921Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T15:40:37.392Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.7.0",
"status": "affected",
"version": "11.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.17",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.8.0"
},
{
"status": "unaffected",
"version": "11.7.1"
},
{
"status": "unaffected",
"version": "10.11.18"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "hackit_bharat"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 11.7.x \u003c= 11.7.0, 10.11.x \u003c= 10.11.17 fail to enforce bot-specific permission checks on the user active status endpoint, which allows a User Manager with user management write access but no Integrations access to deactivate bot accounts via the PUT /api/v4/users/{id}/active API endpoint.. Mattermost Advisory ID: MMSA-2026-00667"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T13:37:44.617Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00667",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.8.0, 11.7.1, 10.11.18 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00667",
"defect": [
"https://mattermost.atlassian.net/browse/MM-68685"
],
"discovery": "EXTERNAL"
},
"title": "Improper Permission Check Allows User Manager to Deactivate Bot Accounts",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-8074",
"datePublished": "2026-06-22T13:37:44.617Z",
"dateReserved": "2026-05-07T10:55:28.977Z",
"dateUpdated": "2026-06-22T15:40:37.392Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6673 (GCVE-0-2026-6673)
Vulnerability from nvd – Published: 2026-06-22 13:38 – Updated: 2026-06-22 15:41
VLAI
Title
Mattermost Jira plugin had unauthenticated {{/ac/installed}} lifecycle callback during pending Jira Cloud install
Summary
Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to authenticate Atlassian Connect installed callbacks, allowing a remote unauthenticated attacker to inject a rogue sharedSecret and disrupt the Jira integration via POST to /ac/installed during the pending-install window.. Mattermost Advisory ID: MMSA-2026-00654
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
11.7.0 , ≤ 11.7.0
(semver)
Affected: 11.6.0 , ≤ 11.6.2 (semver) Affected: 11.5.0 , ≤ 11.5.5 (semver) Affected: 10.11.0 , ≤ 10.11.17 (semver) Unaffected: 11.8.0 Unaffected: 11.7.1 Unaffected: 11.6.3 Unaffected: 11.5.6 Unaffected: 10.11.18 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6673",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T15:40:53.578692Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T15:41:08.511Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.7.0",
"status": "affected",
"version": "11.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.6.2",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.5.5",
"status": "affected",
"version": "11.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.17",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.8.0"
},
{
"status": "unaffected",
"version": "11.7.1"
},
{
"status": "unaffected",
"version": "11.6.3"
},
{
"status": "unaffected",
"version": "11.5.6"
},
{
"status": "unaffected",
"version": "10.11.18"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "insomnia1102"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 11.7.x \u003c= 11.7.0, 11.6.x \u003c= 11.6.2, 11.5.x \u003c= 11.5.5, 10.11.x \u003c= 10.11.17 fail to authenticate Atlassian Connect installed callbacks, allowing a remote unauthenticated attacker to inject a rogue sharedSecret and disrupt the Jira integration via POST to /ac/installed during the pending-install window.. Mattermost Advisory ID: MMSA-2026-00654"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T13:38:56.594Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00654",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.8.0, 11.7.1, 11.6.3, 11.5.6, 10.11.18 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00654",
"defect": [
"https://mattermost.atlassian.net/browse/MM-68376"
],
"discovery": "EXTERNAL"
},
"title": "Mattermost Jira plugin had unauthenticated {{/ac/installed}} lifecycle callback during pending Jira Cloud install",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-6673",
"datePublished": "2026-06-22T13:38:56.594Z",
"dateReserved": "2026-04-20T13:45:33.430Z",
"dateUpdated": "2026-06-22T15:41:08.511Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6062 (GCVE-0-2026-6062)
Vulnerability from nvd – Published: 2026-06-22 13:40 – Updated: 2026-06-22 15:41
VLAI
Title
IDOR in Jira plugin subscription edit endpoint
Summary
Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 Fail to validate channel ownership of an existing subscription before applying edits which allows an authenticated attacker to hijack subscriptions from channels they have no access to via a crafted PUT request to the subscription edit endpoint.. Mattermost Advisory ID: MMSA-2026-00650
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
11.7.0 , ≤ 11.7.0
(semver)
Affected: 11.6.0 , ≤ 11.6.2 (semver) Affected: 11.5.0 , ≤ 11.5.5 (semver) Affected: 10.11.0 , ≤ 10.11.17 (semver) Unaffected: 11.8.0 Unaffected: 11.7.1 Unaffected: 11.6.3 Unaffected: 11.5.6 Unaffected: 10.11.18 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6062",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T15:41:30.282800Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T15:41:48.877Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.7.0",
"status": "affected",
"version": "11.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.6.2",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.5.5",
"status": "affected",
"version": "11.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.17",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.8.0"
},
{
"status": "unaffected",
"version": "11.7.1"
},
{
"status": "unaffected",
"version": "11.6.3"
},
{
"status": "unaffected",
"version": "11.5.6"
},
{
"status": "unaffected",
"version": "10.11.18"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "0hmz"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 11.7.x \u003c= 11.7.0, 11.6.x \u003c= 11.6.2, 11.5.x \u003c= 11.5.5, 10.11.x \u003c= 10.11.17 Fail to validate channel ownership of an existing subscription before applying edits which allows an authenticated attacker to hijack subscriptions from channels they have no access to via a crafted PUT request to the subscription edit endpoint.. Mattermost Advisory ID: MMSA-2026-00650"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T13:40:07.776Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00650",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.8.0, 11.7.1, 11.6.3, 11.5.6, 10.11.18 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00650",
"defect": [
"https://mattermost.atlassian.net/browse/MM-68271"
],
"discovery": "EXTERNAL"
},
"title": "IDOR in Jira plugin subscription edit endpoint",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-6062",
"datePublished": "2026-06-22T13:40:07.776Z",
"dateReserved": "2026-04-10T10:57:59.278Z",
"dateUpdated": "2026-06-22T15:41:48.877Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5139 (GCVE-0-2026-5139)
Vulnerability from nvd – Published: 2026-06-22 13:34 – Updated: 2026-06-22 15:39
VLAI
Title
GitLab Plugin Allows Non-Admin Users to Modify Default Instance Configuration
Summary
Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to enforce administrator authorization on the {{setDefaultInstance}} call within the {{/gitlab connect}} command handler, which allows any authenticated user to overwrite the global default GitLab instance configuration via the {{/gitlab connect <instance-name>}} slash command.. Mattermost Advisory ID: MMSA-2026-00644
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
11.7.0 , ≤ 11.7.0
(semver)
Affected: 11.6.0 , ≤ 11.6.2 (semver) Affected: 11.5.0 , ≤ 11.5.5 (semver) Affected: 10.11.0 , ≤ 10.11.17 (semver) Unaffected: 11.8.0 Unaffected: 11.7.1 Unaffected: 11.6.3 Unaffected: 11.5.6 Unaffected: 10.11.18 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5139",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T15:39:17.436366Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T15:39:29.821Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.7.0",
"status": "affected",
"version": "11.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.6.2",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.5.5",
"status": "affected",
"version": "11.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.17",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.8.0"
},
{
"status": "unaffected",
"version": "11.7.1"
},
{
"status": "unaffected",
"version": "11.6.3"
},
{
"status": "unaffected",
"version": "11.5.6"
},
{
"status": "unaffected",
"version": "10.11.18"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "hunterxluxhug"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 11.7.x \u003c= 11.7.0, 11.6.x \u003c= 11.6.2, 11.5.x \u003c= 11.5.5, 10.11.x \u003c= 10.11.17 fail to enforce administrator authorization on the {{setDefaultInstance}} call within the {{/gitlab connect}} command handler, which allows any authenticated user to overwrite the global default GitLab instance configuration via the {{/gitlab connect \u003cinstance-name\u003e}} slash command.. Mattermost Advisory ID: MMSA-2026-00644"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T13:34:21.247Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00644",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.8.0, 11.7.1, 11.6.3, 11.5.6, 10.11.18 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00644",
"defect": [
"https://mattermost.atlassian.net/browse/MM-68132"
],
"discovery": "EXTERNAL"
},
"title": "GitLab Plugin Allows Non-Admin Users to Modify Default Instance Configuration",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-5139",
"datePublished": "2026-06-22T13:34:21.247Z",
"dateReserved": "2026-03-30T11:29:16.698Z",
"dateUpdated": "2026-06-22T15:39:29.821Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7387 (GCVE-0-2026-7387)
Vulnerability from nvd – Published: 2026-06-12 15:54 – Updated: 2026-06-13 03:56
VLAI
Title
Mattermost group syncable endpoints allow privilege escalation via scheme_admin
Summary
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 Mattermost fails to require role-management authorization when setting the scheme_admin flag on group syncable link and patch endpoints, which allows a user with group-link permissions to escalate themselves and group members to team or channel admin via crafted API requests.. Mattermost Advisory ID: MMSA-2026-00665
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
11.6.0 , ≤ 11.6.1
(semver)
Affected: 11.5.0 , ≤ 11.5.4 (semver) Affected: 10.11.0 , ≤ 10.11.15 (semver) Affected: 10.11.0 , ≤ 10.11.16 (semver) Unaffected: 11.7.0 Unaffected: 11.6.2 Unaffected: 11.5.5 Unaffected: 10.11.16 Unaffected: 10.11.17 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7387",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-13T03:56:08.889Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.6.1",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.5.4",
"status": "affected",
"version": "11.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.15",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.16",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.7.0"
},
{
"status": "unaffected",
"version": "11.6.2"
},
{
"status": "unaffected",
"version": "11.5.5"
},
{
"status": "unaffected",
"version": "10.11.16"
},
{
"status": "unaffected",
"version": "10.11.17"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "winfunc"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 11.6.x \u003c= 11.6.1, 11.5.x \u003c= 11.5.4, 10.11.x \u003c= 10.11.15, 10.11.x \u003c= 10.11.16 Mattermost fails to require role-management authorization when setting the scheme_admin flag on group syncable link and patch endpoints, which allows a user with group-link permissions to escalate themselves and group members to team or channel admin via crafted API requests.. Mattermost Advisory ID: MMSA-2026-00665"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T15:54:10.103Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00665",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.7.0, 11.6.2, 11.5.5, 10.11.16, 10.11.17 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00665",
"defect": [
"https://mattermost.atlassian.net/browse/MM-68546"
],
"discovery": "EXTERNAL"
},
"title": "Mattermost group syncable endpoints allow privilege escalation via scheme_admin",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-7387",
"datePublished": "2026-06-12T15:54:10.103Z",
"dateReserved": "2026-04-29T09:18:29.691Z",
"dateUpdated": "2026-06-13T03:56:08.889Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7184 (GCVE-0-2026-7184)
Vulnerability from nvd – Published: 2026-06-12 15:49 – Updated: 2026-06-12 17:19
VLAI
Title
Mattermost Remote Cluster PATCH API Leaks Authentication Tokens
Summary
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15 fail to sanitize the Remote Cluster API response on PATCH operations, which allows authenticated users with the {{manage_secure_connections}} permission to obtain remote cluster authentication tokens via a PATCH request to the remote cluster endpoint.. Mattermost Advisory ID: MMSA-2026-00662
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-201 - Insertion of Sensitive Information Into Sent Data
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
11.6.0 , ≤ 11.6.1
(semver)
Affected: 11.5.0 , ≤ 11.5.4 (semver) Affected: 10.11.0 , ≤ 10.11.15 (semver) Unaffected: 11.7.0 Unaffected: 11.6.2 Unaffected: 11.5.5 Unaffected: 10.11.17 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7184",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T17:19:06.393567Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T17:19:11.611Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.6.1",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.5.4",
"status": "affected",
"version": "11.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.15",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.7.0"
},
{
"status": "unaffected",
"version": "11.6.2"
},
{
"status": "unaffected",
"version": "11.5.5"
},
{
"status": "unaffected",
"version": "10.11.17"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "winfunc"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 11.6.x \u003c= 11.6.1, 11.5.x \u003c= 11.5.4, 10.11.x \u003c= 10.11.15 fail to sanitize the Remote Cluster API response on PATCH operations, which allows authenticated users with the {{manage_secure_connections}} permission to obtain remote cluster authentication tokens via a PATCH request to the remote cluster endpoint.. Mattermost Advisory ID: MMSA-2026-00662"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "CWE-201: Insertion of Sensitive Information Into Sent Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T15:49:46.626Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00662",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.7.0, 11.6.2, 11.5.5, 10.11.17 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00662",
"defect": [
"https://mattermost.atlassian.net/browse/MM-68525"
],
"discovery": "EXTERNAL"
},
"title": "Mattermost Remote Cluster PATCH API Leaks Authentication Tokens",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-7184",
"datePublished": "2026-06-12T15:49:46.626Z",
"dateReserved": "2026-04-27T10:44:00.842Z",
"dateUpdated": "2026-06-12T17:19:11.611Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6961 (GCVE-0-2026-6961)
Vulnerability from nvd – Published: 2026-06-12 15:56 – Updated: 2026-06-16 13:17
VLAI
Title
CVE-2026-6961: Path traversal via unsanitized FileInfo.Name in Mattermost federation sync
Summary
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 Mattermost fails to sanitize FileInfo.Name received from federated peers during shared channel file sync, which allows an attacker who controls a federated server to write files to arbitrary locations within the target server's filestore via path traversal sequences in the filename field.. Mattermost Advisory ID: MMSA-2026-00661
Severity
7.6 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
11.6.0 , ≤ 11.6.1
(semver)
Affected: 11.5.0 , ≤ 11.5.4 (semver) Affected: 10.11.0 , ≤ 10.11.15 (semver) Affected: 10.11.0 , ≤ 10.11.16 (semver) Unaffected: 11.7.0 Unaffected: 11.6.2 Unaffected: 11.5.5 Unaffected: 10.11.16 Unaffected: 10.11.17 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6961",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-13T03:56:08.575775Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T13:17:18.192Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.6.1",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.5.4",
"status": "affected",
"version": "11.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.15",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.16",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.7.0"
},
{
"status": "unaffected",
"version": "11.6.2"
},
{
"status": "unaffected",
"version": "11.5.5"
},
{
"status": "unaffected",
"version": "10.11.16"
},
{
"status": "unaffected",
"version": "10.11.17"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Hassan Mohammed"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 11.6.x \u003c= 11.6.1, 11.5.x \u003c= 11.5.4, 10.11.x \u003c= 10.11.15, 10.11.x \u003c= 10.11.16 Mattermost fails to sanitize FileInfo.Name received from federated peers during shared channel file sync, which allows an attacker who controls a federated server to write files to arbitrary locations within the target server\u0027s filestore via path traversal sequences in the filename field.. Mattermost Advisory ID: MMSA-2026-00661"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T15:56:17.364Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00661",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.7.0, 11.6.2, 11.5.5, 10.11.16, 10.11.17 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00661",
"defect": [
"https://mattermost.atlassian.net/browse/MM-68488"
],
"discovery": "{\"self\"=\u003e\"https://mattermost.atlassian.net/rest/api/2/customFieldOption/10557\", \"value\"=\u003e\"Internal\", \"id\"=\u003e\"10557\"}"
},
"title": "CVE-2026-6961: Path traversal via unsanitized FileInfo.Name in Mattermost federation sync",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-6961",
"datePublished": "2026-06-12T15:56:17.364Z",
"dateReserved": "2026-04-24T15:22:26.743Z",
"dateUpdated": "2026-06-16T13:17:18.192Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6739 (GCVE-0-2026-6739)
Vulnerability from nvd – Published: 2026-06-12 15:49 – Updated: 2026-06-13 03:56
VLAI
Title
Mattermost: Delegated admins could patch protected default system roles
Summary
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to require system-level permission when patching protected default system roles, which allows authenticated users with delegated user-management permissions to escalate privileges by altering built-in role permissions via the role patch API.. Mattermost Advisory ID: MMSA-2026-00656
Severity
6.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
11.6.0 , ≤ 11.6.1
(semver)
Affected: 11.5.0 , ≤ 11.5.4 (semver) Affected: 10.11.0 , ≤ 10.11.15 (semver) Affected: 10.11.0 , ≤ 10.11.16 (semver) Unaffected: 11.7.0 Unaffected: 11.6.2 Unaffected: 11.5.5 Unaffected: 10.11.16 Unaffected: 10.11.17 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6739",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-13T03:56:06.666Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.6.1",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.5.4",
"status": "affected",
"version": "11.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.15",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.16",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.7.0"
},
{
"status": "unaffected",
"version": "11.6.2"
},
{
"status": "unaffected",
"version": "11.5.5"
},
{
"status": "unaffected",
"version": "10.11.16"
},
{
"status": "unaffected",
"version": "10.11.17"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "NeganSpl01t"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 11.6.x \u003c= 11.6.1, 11.5.x \u003c= 11.5.4, 10.11.x \u003c= 10.11.15, 10.11.x \u003c= 10.11.16 fail to require system-level permission when patching protected default system roles, which allows authenticated users with delegated user-management permissions to escalate privileges by altering built-in role permissions via the role patch API.. Mattermost Advisory ID: MMSA-2026-00656"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T15:49:14.444Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00656",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.7.0, 11.6.2, 11.5.5, 10.11.16, 10.11.17 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00656",
"defect": [
"https://mattermost.atlassian.net/browse/MM-68392"
],
"discovery": "EXTERNAL"
},
"title": "Mattermost: Delegated admins could patch protected default system roles",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-6739",
"datePublished": "2026-06-12T15:49:14.444Z",
"dateReserved": "2026-04-21T08:47:06.795Z",
"dateUpdated": "2026-06-13T03:56:06.666Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6689 (GCVE-0-2026-6689)
Vulnerability from nvd – Published: 2026-06-12 15:51 – Updated: 2026-06-12 17:18
VLAI
Title
*Missing* {{invite_user}} *permission check on team creation allows unprivileged users to set open-invite and allowed-domains team settings*
Summary
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 Fail to enforce PermissionInviteUser when setting AllowOpenInvite or AllowedDomains during team creation (the check was only applied on update/patch), which allows an authenticated user holding PermissionCreateTeam but not PermissionInviteUser on the resulting team to configure invite-controlled team settings (make the team publicly joinable via open invite and/or constrain membership via allowed domains) that they are not permitted to set on an existing team via POST /api/v4/teams with allow_open_invite: true and/or a non-empty allowed_domains in the request body.. Mattermost Advisory ID: MMSA-2026-00655
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
11.6.0 , ≤ 11.6.1
(semver)
Affected: 11.5.0 , ≤ 11.5.4 (semver) Affected: 10.11.0 , ≤ 10.11.15 (semver) Affected: 10.11.0 , ≤ 10.11.16 (semver) Unaffected: 11.7.0 Unaffected: 11.6.2 Unaffected: 11.5.5 Unaffected: 10.11.16 Unaffected: 10.11.17 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6689",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T17:18:46.355666Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T17:18:52.426Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.6.1",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.5.4",
"status": "affected",
"version": "11.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.15",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.16",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.7.0"
},
{
"status": "unaffected",
"version": "11.6.2"
},
{
"status": "unaffected",
"version": "11.5.5"
},
{
"status": "unaffected",
"version": "10.11.16"
},
{
"status": "unaffected",
"version": "10.11.17"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "0x7oda7123"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 11.6.x \u003c= 11.6.1, 11.5.x \u003c= 11.5.4, 10.11.x \u003c= 10.11.15, 10.11.x \u003c= 10.11.16 Fail to enforce PermissionInviteUser when setting AllowOpenInvite or AllowedDomains during team creation (the check was only applied on update/patch), which allows an authenticated user holding PermissionCreateTeam but not PermissionInviteUser on the resulting team to configure invite-controlled team settings (make the team publicly joinable via open invite and/or constrain membership via allowed domains) that they are not permitted to set on an existing team via POST /api/v4/teams with allow_open_invite: true and/or a non-empty allowed_domains in the request body.. Mattermost Advisory ID: MMSA-2026-00655"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T15:51:30.871Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00655",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.7.0, 11.6.2, 11.5.5, 10.11.16, 10.11.17 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00655",
"defect": [
"https://mattermost.atlassian.net/browse/MM-68381"
],
"discovery": "EXTERNAL"
},
"title": "*Missing* {{invite_user}} *permission check on team creation allows unprivileged users to set open-invite and allowed-domains team settings*",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-6689",
"datePublished": "2026-06-12T15:51:30.871Z",
"dateReserved": "2026-04-20T15:19:13.503Z",
"dateUpdated": "2026-06-12T17:18:52.426Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6046 (GCVE-0-2026-6046)
Vulnerability from nvd – Published: 2026-06-12 15:52 – Updated: 2026-06-12 17:18
VLAI
Title
Plugin bot username conflict allows user account to be used as bot identity in Mattermost Server
Summary
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to validate that a username returned during bot registration belongs to a bot account, which allows an unprivileged attacker to intercept private messages sent by plugins via direct message channels by pre-registering a user account with a predictable plugin bot username.. Mattermost Advisory ID: MMSA-2026-00649
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
11.6.0 , ≤ 11.6.1
(semver)
Affected: 11.5.0 , ≤ 11.5.4 (semver) Affected: 10.11.0 , ≤ 10.11.15 (semver) Affected: 10.11.0 , ≤ 10.11.16 (semver) Unaffected: 11.7.0 Unaffected: 11.6.2 Unaffected: 11.5.5 Unaffected: 10.11.16 Unaffected: 10.11.17 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6046",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T17:18:25.567701Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T17:18:30.553Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.6.1",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.5.4",
"status": "affected",
"version": "11.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.15",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.16",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.7.0"
},
{
"status": "unaffected",
"version": "11.6.2"
},
{
"status": "unaffected",
"version": "11.5.5"
},
{
"status": "unaffected",
"version": "10.11.16"
},
{
"status": "unaffected",
"version": "10.11.17"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "insomnia1102"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 11.6.x \u003c= 11.6.1, 11.5.x \u003c= 11.5.4, 10.11.x \u003c= 10.11.15, 10.11.x \u003c= 10.11.16 fail to validate that a username returned during bot registration belongs to a bot account, which allows an unprivileged attacker to intercept private messages sent by plugins via direct message channels by pre-registering a user account with a predictable plugin bot username.. Mattermost Advisory ID: MMSA-2026-00649"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T15:52:33.505Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00649",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.7.0, 11.6.2, 11.5.5, 10.11.16, 10.11.17 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00649",
"defect": [
"https://mattermost.atlassian.net/browse/MM-68256"
],
"discovery": "EXTERNAL"
},
"title": "Plugin bot username conflict allows user account to be used as bot identity in Mattermost Server",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-6046",
"datePublished": "2026-06-12T15:52:33.505Z",
"dateReserved": "2026-04-09T19:20:26.868Z",
"dateUpdated": "2026-06-12T17:18:30.553Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3433 (GCVE-0-2026-3433)
Vulnerability from nvd – Published: 2026-06-12 15:46 – Updated: 2026-06-12 17:19
VLAI
Title
Mattermost fails to scope role_updated websocket events to authorized team and channel members
Summary
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to restrict role_updated websocket event broadcasts to members of the affected team or channel which allows an authenticated attacker with guest-level access to observe permission scheme change notifications for private teams they are not a member of via the websocket connection.. Mattermost Advisory ID: MMSA-2026-00616
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
11.6.0 , ≤ 11.6.1
(semver)
Affected: 11.5.0 , ≤ 11.5.4 (semver) Affected: 10.11.0 , ≤ 10.11.15 (semver) Affected: 10.11.0 , ≤ 10.11.16 (semver) Unaffected: 11.7.0 Unaffected: 11.6.2 Unaffected: 11.5.5 Unaffected: 10.11.16 Unaffected: 10.11.17 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3433",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T17:19:43.952848Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T17:19:49.970Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.6.1",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.5.4",
"status": "affected",
"version": "11.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.15",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.16",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.7.0"
},
{
"status": "unaffected",
"version": "11.6.2"
},
{
"status": "unaffected",
"version": "11.5.5"
},
{
"status": "unaffected",
"version": "10.11.16"
},
{
"status": "unaffected",
"version": "10.11.17"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "0x7oda7123"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 11.6.x \u003c= 11.6.1, 11.5.x \u003c= 11.5.4, 10.11.x \u003c= 10.11.15, 10.11.x \u003c= 10.11.16 fail to restrict role_updated websocket event broadcasts to members of the affected team or channel which allows an authenticated attacker with guest-level access to observe permission scheme change notifications for private teams they are not a member of via the websocket connection.. Mattermost Advisory ID: MMSA-2026-00616"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T15:46:54.868Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00616",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.7.0, 11.6.2, 11.5.5, 10.11.16, 10.11.17 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00616",
"defect": [
"https://mattermost.atlassian.net/browse/MM-67740"
],
"discovery": "EXTERNAL"
},
"title": "Mattermost fails to scope role_updated websocket events to authorized team and channel members",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-3433",
"datePublished": "2026-06-12T15:46:54.868Z",
"dateReserved": "2026-03-02T12:48:20.745Z",
"dateUpdated": "2026-06-12T17:19:49.970Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4339 (GCVE-0-2026-4339)
Vulnerability from cvelistv5 – Published: 2026-06-26 14:44 – Updated: 2026-06-26 15:40
VLAI
Title
SSRF via unvalidated attachment URLs in Mattermost Agents plugin MCP server
Summary
Mattermost versions 10.11.x <= 10.11.18, 11.6.x <= 11.6.3, 11.5.x <= 11.5.6 fail to validate attachment URLs against internal or private IP ranges in the Mattermost Agents plugin MCP server which allows an attacker with access to the MCP server in stdio mode to perform server-side request forgery (SSRF) and exfiltrate data from internal network services via supplying internal URLs as file attachments in post creation requests.. Mattermost Advisory ID: MMSA-2026-00635
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
10.11.0 , ≤ 10.11.18
(semver)
Affected: 11.6.0 , ≤ 11.6.3 (semver) Affected: 11.5.0 , ≤ 11.5.6 (semver) Unaffected: 11.7.0 Unaffected: 10.11.19 Unaffected: 11.6.4 Unaffected: 11.5.7 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4339",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T15:40:26.600436Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T15:40:33.300Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "10.11.18",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.6.3",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.5.6",
"status": "affected",
"version": "11.5.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.7.0"
},
{
"status": "unaffected",
"version": "10.11.19"
},
{
"status": "unaffected",
"version": "11.6.4"
},
{
"status": "unaffected",
"version": "11.5.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "s00me00ne"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 10.11.x \u003c= 10.11.18, 11.6.x \u003c= 11.6.3, 11.5.x \u003c= 11.5.6 fail to validate attachment URLs against internal or private IP ranges in the Mattermost Agents plugin MCP server which allows an attacker with access to the MCP server in stdio mode to perform server-side request forgery (SSRF) and exfiltrate data from internal network services via supplying internal URLs as file attachments in post creation requests.. Mattermost Advisory ID: MMSA-2026-00635"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T14:44:58.655Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00635",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.7.0, 10.11.19, 11.6.4, 11.5.7 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00635",
"defect": [
"https://mattermost.atlassian.net/browse/MM-67950"
],
"discovery": "EXTERNAL"
},
"title": "SSRF via unvalidated attachment URLs in Mattermost Agents plugin MCP server",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-4339",
"datePublished": "2026-06-26T14:44:58.655Z",
"dateReserved": "2026-03-17T14:57:10.575Z",
"dateUpdated": "2026-06-26T15:40:33.300Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3472 (GCVE-0-2026-3472)
Vulnerability from cvelistv5 – Published: 2026-06-26 14:42 – Updated: 2026-06-26 15:41
VLAI
Title
Markdown image rendering bypass in AI bot tool result posts in Mattermost
Summary
Mattermost versions 10.11.x <= 10.11.18, 11.6.x <= 11.6.3, 11.5.x <= 11.5.6 fail to properly apply markdown image rendering restrictions to AI bot tool result posts, which allows an authenticated attacker to exfiltrate data to an attacker-controlled server via injecting markdown image syntax into tool result content rendered by a victim's client.. Mattermost Advisory ID: MMSA-2026-00619
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-693 - Protection Mechanism Failure
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
10.11.0 , ≤ 10.11.18
(semver)
Affected: 11.6.0 , ≤ 11.6.3 (semver) Affected: 11.5.0 , ≤ 11.5.6 (semver) Unaffected: 11.7.0 Unaffected: 10.11.19 Unaffected: 11.6.4 Unaffected: 11.5.7 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3472",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T15:41:02.864491Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T15:41:09.780Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "10.11.18",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.6.3",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.5.6",
"status": "affected",
"version": "11.5.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.7.0"
},
{
"status": "unaffected",
"version": "10.11.19"
},
{
"status": "unaffected",
"version": "11.6.4"
},
{
"status": "unaffected",
"version": "11.5.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juho Fors\u00e9n"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 10.11.x \u003c= 10.11.18, 11.6.x \u003c= 11.6.3, 11.5.x \u003c= 11.5.6 fail to properly apply markdown image rendering restrictions to AI bot tool result posts, which allows an authenticated attacker to exfiltrate data to an attacker-controlled server via injecting markdown image syntax into tool result content rendered by a victim\u0027s client.. Mattermost Advisory ID: MMSA-2026-00619"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693: Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T14:42:24.154Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00619",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.7.0, 10.11.19, 11.6.4, 11.5.7 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00619",
"defect": [
"https://mattermost.atlassian.net/browse/MM-67751"
],
"discovery": "{\"self\"=\u003e\"https://mattermost.atlassian.net/rest/api/2/customFieldOption/10557\", \"value\"=\u003e\"Internal\", \"id\"=\u003e\"10557\"}"
},
"title": "Markdown image rendering bypass in AI bot tool result posts in Mattermost",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-3472",
"datePublished": "2026-06-26T14:42:24.154Z",
"dateReserved": "2026-03-03T11:25:53.785Z",
"dateUpdated": "2026-06-26T15:41:09.780Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8823 (GCVE-0-2026-8823)
Vulnerability from cvelistv5 – Published: 2026-06-22 13:41 – Updated: 2026-06-22 16:12
VLAI
Title
User Manager can demote bot accounts to guest without bot-management permission
Summary
Mattermost versions 11.7.x <= 11.7.0, 10.11.x <= 10.11.17 fail to validate bot targets when demoting users to guests which allows a lower-privileged administrator to degrade arbitrary bot accounts via the standard demote-user API.. Mattermost Advisory ID: MMSA-2026-00669
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
11.7.0 , ≤ 11.7.0
(semver)
Affected: 10.11.0 , ≤ 10.11.17 (semver) Unaffected: 11.8.0 Unaffected: 11.7.1 Unaffected: 10.11.18 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8823",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T16:12:21.701325Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T16:12:31.350Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.7.0",
"status": "affected",
"version": "11.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.17",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.8.0"
},
{
"status": "unaffected",
"version": "11.7.1"
},
{
"status": "unaffected",
"version": "10.11.18"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Edgar Bellot Mic\u00f3"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 11.7.x \u003c= 11.7.0, 10.11.x \u003c= 10.11.17 fail to validate bot targets when demoting users to guests which allows a lower-privileged administrator to degrade arbitrary bot accounts via the standard demote-user API.. Mattermost Advisory ID: MMSA-2026-00669"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T13:41:28.404Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00669",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.8.0, 11.7.1, 10.11.18 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00669",
"defect": [
"https://mattermost.atlassian.net/browse/MM-68700"
],
"discovery": "{\"self\"=\u003e\"https://mattermost.atlassian.net/rest/api/2/customFieldOption/10557\", \"value\"=\u003e\"Internal\", \"id\"=\u003e\"10557\"}"
},
"title": "User Manager can demote bot accounts to guest without bot-management permission",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-8823",
"datePublished": "2026-06-22T13:41:28.404Z",
"dateReserved": "2026-05-18T10:05:31.691Z",
"dateUpdated": "2026-06-22T16:12:31.350Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6062 (GCVE-0-2026-6062)
Vulnerability from cvelistv5 – Published: 2026-06-22 13:40 – Updated: 2026-06-22 15:41
VLAI
Title
IDOR in Jira plugin subscription edit endpoint
Summary
Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 Fail to validate channel ownership of an existing subscription before applying edits which allows an authenticated attacker to hijack subscriptions from channels they have no access to via a crafted PUT request to the subscription edit endpoint.. Mattermost Advisory ID: MMSA-2026-00650
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
11.7.0 , ≤ 11.7.0
(semver)
Affected: 11.6.0 , ≤ 11.6.2 (semver) Affected: 11.5.0 , ≤ 11.5.5 (semver) Affected: 10.11.0 , ≤ 10.11.17 (semver) Unaffected: 11.8.0 Unaffected: 11.7.1 Unaffected: 11.6.3 Unaffected: 11.5.6 Unaffected: 10.11.18 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6062",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T15:41:30.282800Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T15:41:48.877Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.7.0",
"status": "affected",
"version": "11.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.6.2",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.5.5",
"status": "affected",
"version": "11.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.17",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.8.0"
},
{
"status": "unaffected",
"version": "11.7.1"
},
{
"status": "unaffected",
"version": "11.6.3"
},
{
"status": "unaffected",
"version": "11.5.6"
},
{
"status": "unaffected",
"version": "10.11.18"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "0hmz"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 11.7.x \u003c= 11.7.0, 11.6.x \u003c= 11.6.2, 11.5.x \u003c= 11.5.5, 10.11.x \u003c= 10.11.17 Fail to validate channel ownership of an existing subscription before applying edits which allows an authenticated attacker to hijack subscriptions from channels they have no access to via a crafted PUT request to the subscription edit endpoint.. Mattermost Advisory ID: MMSA-2026-00650"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T13:40:07.776Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00650",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.8.0, 11.7.1, 11.6.3, 11.5.6, 10.11.18 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00650",
"defect": [
"https://mattermost.atlassian.net/browse/MM-68271"
],
"discovery": "EXTERNAL"
},
"title": "IDOR in Jira plugin subscription edit endpoint",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-6062",
"datePublished": "2026-06-22T13:40:07.776Z",
"dateReserved": "2026-04-10T10:57:59.278Z",
"dateUpdated": "2026-06-22T15:41:48.877Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6673 (GCVE-0-2026-6673)
Vulnerability from cvelistv5 – Published: 2026-06-22 13:38 – Updated: 2026-06-22 15:41
VLAI
Title
Mattermost Jira plugin had unauthenticated {{/ac/installed}} lifecycle callback during pending Jira Cloud install
Summary
Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to authenticate Atlassian Connect installed callbacks, allowing a remote unauthenticated attacker to inject a rogue sharedSecret and disrupt the Jira integration via POST to /ac/installed during the pending-install window.. Mattermost Advisory ID: MMSA-2026-00654
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
11.7.0 , ≤ 11.7.0
(semver)
Affected: 11.6.0 , ≤ 11.6.2 (semver) Affected: 11.5.0 , ≤ 11.5.5 (semver) Affected: 10.11.0 , ≤ 10.11.17 (semver) Unaffected: 11.8.0 Unaffected: 11.7.1 Unaffected: 11.6.3 Unaffected: 11.5.6 Unaffected: 10.11.18 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6673",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T15:40:53.578692Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T15:41:08.511Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.7.0",
"status": "affected",
"version": "11.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.6.2",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.5.5",
"status": "affected",
"version": "11.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.17",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.8.0"
},
{
"status": "unaffected",
"version": "11.7.1"
},
{
"status": "unaffected",
"version": "11.6.3"
},
{
"status": "unaffected",
"version": "11.5.6"
},
{
"status": "unaffected",
"version": "10.11.18"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "insomnia1102"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 11.7.x \u003c= 11.7.0, 11.6.x \u003c= 11.6.2, 11.5.x \u003c= 11.5.5, 10.11.x \u003c= 10.11.17 fail to authenticate Atlassian Connect installed callbacks, allowing a remote unauthenticated attacker to inject a rogue sharedSecret and disrupt the Jira integration via POST to /ac/installed during the pending-install window.. Mattermost Advisory ID: MMSA-2026-00654"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T13:38:56.594Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00654",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.8.0, 11.7.1, 11.6.3, 11.5.6, 10.11.18 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00654",
"defect": [
"https://mattermost.atlassian.net/browse/MM-68376"
],
"discovery": "EXTERNAL"
},
"title": "Mattermost Jira plugin had unauthenticated {{/ac/installed}} lifecycle callback during pending Jira Cloud install",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-6673",
"datePublished": "2026-06-22T13:38:56.594Z",
"dateReserved": "2026-04-20T13:45:33.430Z",
"dateUpdated": "2026-06-22T15:41:08.511Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8074 (GCVE-0-2026-8074)
Vulnerability from cvelistv5 – Published: 2026-06-22 13:37 – Updated: 2026-06-22 15:40
VLAI
Title
Improper Permission Check Allows User Manager to Deactivate Bot Accounts
Summary
Mattermost versions 11.7.x <= 11.7.0, 10.11.x <= 10.11.17 fail to enforce bot-specific permission checks on the user active status endpoint, which allows a User Manager with user management write access but no Integrations access to deactivate bot accounts via the PUT /api/v4/users/{id}/active API endpoint.. Mattermost Advisory ID: MMSA-2026-00667
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
11.7.0 , ≤ 11.7.0
(semver)
Affected: 10.11.0 , ≤ 10.11.17 (semver) Unaffected: 11.8.0 Unaffected: 11.7.1 Unaffected: 10.11.18 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8074",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T15:40:23.411921Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T15:40:37.392Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.7.0",
"status": "affected",
"version": "11.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.17",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.8.0"
},
{
"status": "unaffected",
"version": "11.7.1"
},
{
"status": "unaffected",
"version": "10.11.18"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "hackit_bharat"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 11.7.x \u003c= 11.7.0, 10.11.x \u003c= 10.11.17 fail to enforce bot-specific permission checks on the user active status endpoint, which allows a User Manager with user management write access but no Integrations access to deactivate bot accounts via the PUT /api/v4/users/{id}/active API endpoint.. Mattermost Advisory ID: MMSA-2026-00667"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T13:37:44.617Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00667",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.8.0, 11.7.1, 10.11.18 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00667",
"defect": [
"https://mattermost.atlassian.net/browse/MM-68685"
],
"discovery": "EXTERNAL"
},
"title": "Improper Permission Check Allows User Manager to Deactivate Bot Accounts",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-8074",
"datePublished": "2026-06-22T13:37:44.617Z",
"dateReserved": "2026-05-07T10:55:28.977Z",
"dateUpdated": "2026-06-22T15:40:37.392Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9162 (GCVE-0-2026-9162)
Vulnerability from cvelistv5 – Published: 2026-06-22 13:36 – Updated: 2026-06-22 15:40
VLAI
Title
Global session revocation does not invalidate active WebSocket connections
Summary
Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to invalidate cached authentication state for active WebSocket connections during global session revocation, which allows a user with an existing WebSocket connection to remain authenticated and continue receiving real-time events until the cached session expires or the client reconnects.. Mattermost Advisory ID: MMSA-2026-00664
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
11.7.0 , ≤ 11.7.0
(semver)
Affected: 11.6.0 , ≤ 11.6.2 (semver) Affected: 11.5.0 , ≤ 11.5.5 (semver) Affected: 10.11.0 , ≤ 10.11.17 (semver) Unaffected: 11.8.0 Unaffected: 11.7.1 Unaffected: 11.6.3 Unaffected: 11.5.6 Unaffected: 10.11.18 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9162",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T15:39:54.095237Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T15:40:07.851Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.7.0",
"status": "affected",
"version": "11.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.6.2",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.5.5",
"status": "affected",
"version": "11.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.17",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.8.0"
},
{
"status": "unaffected",
"version": "11.7.1"
},
{
"status": "unaffected",
"version": "11.6.3"
},
{
"status": "unaffected",
"version": "11.5.6"
},
{
"status": "unaffected",
"version": "10.11.18"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "winfunc"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 11.7.x \u003c= 11.7.0, 11.6.x \u003c= 11.6.2, 11.5.x \u003c= 11.5.5, 10.11.x \u003c= 10.11.17 fail to invalidate cached authentication state for active WebSocket connections during global session revocation, which allows a user with an existing WebSocket connection to remain authenticated and continue receiving real-time events until the cached session expires or the client reconnects.. Mattermost Advisory ID: MMSA-2026-00664"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T13:36:43.998Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00664",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.8.0, 11.7.1, 11.6.3, 11.5.6, 10.11.18 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00664",
"defect": [
"https://mattermost.atlassian.net/browse/MM-68542"
],
"discovery": "EXTERNAL"
},
"title": "Global session revocation does not invalidate active WebSocket connections",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-9162",
"datePublished": "2026-06-22T13:36:43.998Z",
"dateReserved": "2026-05-21T11:17:28.560Z",
"dateUpdated": "2026-06-22T15:40:07.851Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5139 (GCVE-0-2026-5139)
Vulnerability from cvelistv5 – Published: 2026-06-22 13:34 – Updated: 2026-06-22 15:39
VLAI
Title
GitLab Plugin Allows Non-Admin Users to Modify Default Instance Configuration
Summary
Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to enforce administrator authorization on the {{setDefaultInstance}} call within the {{/gitlab connect}} command handler, which allows any authenticated user to overwrite the global default GitLab instance configuration via the {{/gitlab connect <instance-name>}} slash command.. Mattermost Advisory ID: MMSA-2026-00644
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
11.7.0 , ≤ 11.7.0
(semver)
Affected: 11.6.0 , ≤ 11.6.2 (semver) Affected: 11.5.0 , ≤ 11.5.5 (semver) Affected: 10.11.0 , ≤ 10.11.17 (semver) Unaffected: 11.8.0 Unaffected: 11.7.1 Unaffected: 11.6.3 Unaffected: 11.5.6 Unaffected: 10.11.18 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5139",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T15:39:17.436366Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T15:39:29.821Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.7.0",
"status": "affected",
"version": "11.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.6.2",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.5.5",
"status": "affected",
"version": "11.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.17",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.8.0"
},
{
"status": "unaffected",
"version": "11.7.1"
},
{
"status": "unaffected",
"version": "11.6.3"
},
{
"status": "unaffected",
"version": "11.5.6"
},
{
"status": "unaffected",
"version": "10.11.18"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "hunterxluxhug"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 11.7.x \u003c= 11.7.0, 11.6.x \u003c= 11.6.2, 11.5.x \u003c= 11.5.5, 10.11.x \u003c= 10.11.17 fail to enforce administrator authorization on the {{setDefaultInstance}} call within the {{/gitlab connect}} command handler, which allows any authenticated user to overwrite the global default GitLab instance configuration via the {{/gitlab connect \u003cinstance-name\u003e}} slash command.. Mattermost Advisory ID: MMSA-2026-00644"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T13:34:21.247Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00644",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.8.0, 11.7.1, 11.6.3, 11.5.6, 10.11.18 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00644",
"defect": [
"https://mattermost.atlassian.net/browse/MM-68132"
],
"discovery": "EXTERNAL"
},
"title": "GitLab Plugin Allows Non-Admin Users to Modify Default Instance Configuration",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-5139",
"datePublished": "2026-06-22T13:34:21.247Z",
"dateReserved": "2026-03-30T11:29:16.698Z",
"dateUpdated": "2026-06-22T15:39:29.821Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6961 (GCVE-0-2026-6961)
Vulnerability from cvelistv5 – Published: 2026-06-12 15:56 – Updated: 2026-06-16 13:17
VLAI
Title
CVE-2026-6961: Path traversal via unsanitized FileInfo.Name in Mattermost federation sync
Summary
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 Mattermost fails to sanitize FileInfo.Name received from federated peers during shared channel file sync, which allows an attacker who controls a federated server to write files to arbitrary locations within the target server's filestore via path traversal sequences in the filename field.. Mattermost Advisory ID: MMSA-2026-00661
Severity
7.6 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
11.6.0 , ≤ 11.6.1
(semver)
Affected: 11.5.0 , ≤ 11.5.4 (semver) Affected: 10.11.0 , ≤ 10.11.15 (semver) Affected: 10.11.0 , ≤ 10.11.16 (semver) Unaffected: 11.7.0 Unaffected: 11.6.2 Unaffected: 11.5.5 Unaffected: 10.11.16 Unaffected: 10.11.17 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6961",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-13T03:56:08.575775Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T13:17:18.192Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.6.1",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.5.4",
"status": "affected",
"version": "11.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.15",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.16",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.7.0"
},
{
"status": "unaffected",
"version": "11.6.2"
},
{
"status": "unaffected",
"version": "11.5.5"
},
{
"status": "unaffected",
"version": "10.11.16"
},
{
"status": "unaffected",
"version": "10.11.17"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Hassan Mohammed"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 11.6.x \u003c= 11.6.1, 11.5.x \u003c= 11.5.4, 10.11.x \u003c= 10.11.15, 10.11.x \u003c= 10.11.16 Mattermost fails to sanitize FileInfo.Name received from federated peers during shared channel file sync, which allows an attacker who controls a federated server to write files to arbitrary locations within the target server\u0027s filestore via path traversal sequences in the filename field.. Mattermost Advisory ID: MMSA-2026-00661"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T15:56:17.364Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00661",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.7.0, 11.6.2, 11.5.5, 10.11.16, 10.11.17 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00661",
"defect": [
"https://mattermost.atlassian.net/browse/MM-68488"
],
"discovery": "{\"self\"=\u003e\"https://mattermost.atlassian.net/rest/api/2/customFieldOption/10557\", \"value\"=\u003e\"Internal\", \"id\"=\u003e\"10557\"}"
},
"title": "CVE-2026-6961: Path traversal via unsanitized FileInfo.Name in Mattermost federation sync",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-6961",
"datePublished": "2026-06-12T15:56:17.364Z",
"dateReserved": "2026-04-24T15:22:26.743Z",
"dateUpdated": "2026-06-16T13:17:18.192Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7387 (GCVE-0-2026-7387)
Vulnerability from cvelistv5 – Published: 2026-06-12 15:54 – Updated: 2026-06-13 03:56
VLAI
Title
Mattermost group syncable endpoints allow privilege escalation via scheme_admin
Summary
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 Mattermost fails to require role-management authorization when setting the scheme_admin flag on group syncable link and patch endpoints, which allows a user with group-link permissions to escalate themselves and group members to team or channel admin via crafted API requests.. Mattermost Advisory ID: MMSA-2026-00665
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
11.6.0 , ≤ 11.6.1
(semver)
Affected: 11.5.0 , ≤ 11.5.4 (semver) Affected: 10.11.0 , ≤ 10.11.15 (semver) Affected: 10.11.0 , ≤ 10.11.16 (semver) Unaffected: 11.7.0 Unaffected: 11.6.2 Unaffected: 11.5.5 Unaffected: 10.11.16 Unaffected: 10.11.17 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7387",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-13T03:56:08.889Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.6.1",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.5.4",
"status": "affected",
"version": "11.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.15",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.16",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.7.0"
},
{
"status": "unaffected",
"version": "11.6.2"
},
{
"status": "unaffected",
"version": "11.5.5"
},
{
"status": "unaffected",
"version": "10.11.16"
},
{
"status": "unaffected",
"version": "10.11.17"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "winfunc"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 11.6.x \u003c= 11.6.1, 11.5.x \u003c= 11.5.4, 10.11.x \u003c= 10.11.15, 10.11.x \u003c= 10.11.16 Mattermost fails to require role-management authorization when setting the scheme_admin flag on group syncable link and patch endpoints, which allows a user with group-link permissions to escalate themselves and group members to team or channel admin via crafted API requests.. Mattermost Advisory ID: MMSA-2026-00665"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T15:54:10.103Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00665",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.7.0, 11.6.2, 11.5.5, 10.11.16, 10.11.17 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00665",
"defect": [
"https://mattermost.atlassian.net/browse/MM-68546"
],
"discovery": "EXTERNAL"
},
"title": "Mattermost group syncable endpoints allow privilege escalation via scheme_admin",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-7387",
"datePublished": "2026-06-12T15:54:10.103Z",
"dateReserved": "2026-04-29T09:18:29.691Z",
"dateUpdated": "2026-06-13T03:56:08.889Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6046 (GCVE-0-2026-6046)
Vulnerability from cvelistv5 – Published: 2026-06-12 15:52 – Updated: 2026-06-12 17:18
VLAI
Title
Plugin bot username conflict allows user account to be used as bot identity in Mattermost Server
Summary
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to validate that a username returned during bot registration belongs to a bot account, which allows an unprivileged attacker to intercept private messages sent by plugins via direct message channels by pre-registering a user account with a predictable plugin bot username.. Mattermost Advisory ID: MMSA-2026-00649
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
11.6.0 , ≤ 11.6.1
(semver)
Affected: 11.5.0 , ≤ 11.5.4 (semver) Affected: 10.11.0 , ≤ 10.11.15 (semver) Affected: 10.11.0 , ≤ 10.11.16 (semver) Unaffected: 11.7.0 Unaffected: 11.6.2 Unaffected: 11.5.5 Unaffected: 10.11.16 Unaffected: 10.11.17 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6046",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T17:18:25.567701Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T17:18:30.553Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.6.1",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.5.4",
"status": "affected",
"version": "11.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.15",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.16",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.7.0"
},
{
"status": "unaffected",
"version": "11.6.2"
},
{
"status": "unaffected",
"version": "11.5.5"
},
{
"status": "unaffected",
"version": "10.11.16"
},
{
"status": "unaffected",
"version": "10.11.17"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "insomnia1102"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 11.6.x \u003c= 11.6.1, 11.5.x \u003c= 11.5.4, 10.11.x \u003c= 10.11.15, 10.11.x \u003c= 10.11.16 fail to validate that a username returned during bot registration belongs to a bot account, which allows an unprivileged attacker to intercept private messages sent by plugins via direct message channels by pre-registering a user account with a predictable plugin bot username.. Mattermost Advisory ID: MMSA-2026-00649"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T15:52:33.505Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00649",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.7.0, 11.6.2, 11.5.5, 10.11.16, 10.11.17 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00649",
"defect": [
"https://mattermost.atlassian.net/browse/MM-68256"
],
"discovery": "EXTERNAL"
},
"title": "Plugin bot username conflict allows user account to be used as bot identity in Mattermost Server",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-6046",
"datePublished": "2026-06-12T15:52:33.505Z",
"dateReserved": "2026-04-09T19:20:26.868Z",
"dateUpdated": "2026-06-12T17:18:30.553Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6689 (GCVE-0-2026-6689)
Vulnerability from cvelistv5 – Published: 2026-06-12 15:51 – Updated: 2026-06-12 17:18
VLAI
Title
*Missing* {{invite_user}} *permission check on team creation allows unprivileged users to set open-invite and allowed-domains team settings*
Summary
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 Fail to enforce PermissionInviteUser when setting AllowOpenInvite or AllowedDomains during team creation (the check was only applied on update/patch), which allows an authenticated user holding PermissionCreateTeam but not PermissionInviteUser on the resulting team to configure invite-controlled team settings (make the team publicly joinable via open invite and/or constrain membership via allowed domains) that they are not permitted to set on an existing team via POST /api/v4/teams with allow_open_invite: true and/or a non-empty allowed_domains in the request body.. Mattermost Advisory ID: MMSA-2026-00655
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
11.6.0 , ≤ 11.6.1
(semver)
Affected: 11.5.0 , ≤ 11.5.4 (semver) Affected: 10.11.0 , ≤ 10.11.15 (semver) Affected: 10.11.0 , ≤ 10.11.16 (semver) Unaffected: 11.7.0 Unaffected: 11.6.2 Unaffected: 11.5.5 Unaffected: 10.11.16 Unaffected: 10.11.17 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6689",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T17:18:46.355666Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T17:18:52.426Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.6.1",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.5.4",
"status": "affected",
"version": "11.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.15",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.16",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.7.0"
},
{
"status": "unaffected",
"version": "11.6.2"
},
{
"status": "unaffected",
"version": "11.5.5"
},
{
"status": "unaffected",
"version": "10.11.16"
},
{
"status": "unaffected",
"version": "10.11.17"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "0x7oda7123"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 11.6.x \u003c= 11.6.1, 11.5.x \u003c= 11.5.4, 10.11.x \u003c= 10.11.15, 10.11.x \u003c= 10.11.16 Fail to enforce PermissionInviteUser when setting AllowOpenInvite or AllowedDomains during team creation (the check was only applied on update/patch), which allows an authenticated user holding PermissionCreateTeam but not PermissionInviteUser on the resulting team to configure invite-controlled team settings (make the team publicly joinable via open invite and/or constrain membership via allowed domains) that they are not permitted to set on an existing team via POST /api/v4/teams with allow_open_invite: true and/or a non-empty allowed_domains in the request body.. Mattermost Advisory ID: MMSA-2026-00655"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T15:51:30.871Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00655",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.7.0, 11.6.2, 11.5.5, 10.11.16, 10.11.17 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00655",
"defect": [
"https://mattermost.atlassian.net/browse/MM-68381"
],
"discovery": "EXTERNAL"
},
"title": "*Missing* {{invite_user}} *permission check on team creation allows unprivileged users to set open-invite and allowed-domains team settings*",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-6689",
"datePublished": "2026-06-12T15:51:30.871Z",
"dateReserved": "2026-04-20T15:19:13.503Z",
"dateUpdated": "2026-06-12T17:18:52.426Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7184 (GCVE-0-2026-7184)
Vulnerability from cvelistv5 – Published: 2026-06-12 15:49 – Updated: 2026-06-12 17:19
VLAI
Title
Mattermost Remote Cluster PATCH API Leaks Authentication Tokens
Summary
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15 fail to sanitize the Remote Cluster API response on PATCH operations, which allows authenticated users with the {{manage_secure_connections}} permission to obtain remote cluster authentication tokens via a PATCH request to the remote cluster endpoint.. Mattermost Advisory ID: MMSA-2026-00662
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-201 - Insertion of Sensitive Information Into Sent Data
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
11.6.0 , ≤ 11.6.1
(semver)
Affected: 11.5.0 , ≤ 11.5.4 (semver) Affected: 10.11.0 , ≤ 10.11.15 (semver) Unaffected: 11.7.0 Unaffected: 11.6.2 Unaffected: 11.5.5 Unaffected: 10.11.17 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7184",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T17:19:06.393567Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T17:19:11.611Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.6.1",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.5.4",
"status": "affected",
"version": "11.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.15",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.7.0"
},
{
"status": "unaffected",
"version": "11.6.2"
},
{
"status": "unaffected",
"version": "11.5.5"
},
{
"status": "unaffected",
"version": "10.11.17"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "winfunc"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 11.6.x \u003c= 11.6.1, 11.5.x \u003c= 11.5.4, 10.11.x \u003c= 10.11.15 fail to sanitize the Remote Cluster API response on PATCH operations, which allows authenticated users with the {{manage_secure_connections}} permission to obtain remote cluster authentication tokens via a PATCH request to the remote cluster endpoint.. Mattermost Advisory ID: MMSA-2026-00662"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "CWE-201: Insertion of Sensitive Information Into Sent Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T15:49:46.626Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00662",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.7.0, 11.6.2, 11.5.5, 10.11.17 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00662",
"defect": [
"https://mattermost.atlassian.net/browse/MM-68525"
],
"discovery": "EXTERNAL"
},
"title": "Mattermost Remote Cluster PATCH API Leaks Authentication Tokens",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-7184",
"datePublished": "2026-06-12T15:49:46.626Z",
"dateReserved": "2026-04-27T10:44:00.842Z",
"dateUpdated": "2026-06-12T17:19:11.611Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6739 (GCVE-0-2026-6739)
Vulnerability from cvelistv5 – Published: 2026-06-12 15:49 – Updated: 2026-06-13 03:56
VLAI
Title
Mattermost: Delegated admins could patch protected default system roles
Summary
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to require system-level permission when patching protected default system roles, which allows authenticated users with delegated user-management permissions to escalate privileges by altering built-in role permissions via the role patch API.. Mattermost Advisory ID: MMSA-2026-00656
Severity
6.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
11.6.0 , ≤ 11.6.1
(semver)
Affected: 11.5.0 , ≤ 11.5.4 (semver) Affected: 10.11.0 , ≤ 10.11.15 (semver) Affected: 10.11.0 , ≤ 10.11.16 (semver) Unaffected: 11.7.0 Unaffected: 11.6.2 Unaffected: 11.5.5 Unaffected: 10.11.16 Unaffected: 10.11.17 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6739",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-13T03:56:06.666Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.6.1",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.5.4",
"status": "affected",
"version": "11.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.15",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.16",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.7.0"
},
{
"status": "unaffected",
"version": "11.6.2"
},
{
"status": "unaffected",
"version": "11.5.5"
},
{
"status": "unaffected",
"version": "10.11.16"
},
{
"status": "unaffected",
"version": "10.11.17"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "NeganSpl01t"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 11.6.x \u003c= 11.6.1, 11.5.x \u003c= 11.5.4, 10.11.x \u003c= 10.11.15, 10.11.x \u003c= 10.11.16 fail to require system-level permission when patching protected default system roles, which allows authenticated users with delegated user-management permissions to escalate privileges by altering built-in role permissions via the role patch API.. Mattermost Advisory ID: MMSA-2026-00656"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T15:49:14.444Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00656",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.7.0, 11.6.2, 11.5.5, 10.11.16, 10.11.17 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00656",
"defect": [
"https://mattermost.atlassian.net/browse/MM-68392"
],
"discovery": "EXTERNAL"
},
"title": "Mattermost: Delegated admins could patch protected default system roles",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-6739",
"datePublished": "2026-06-12T15:49:14.444Z",
"dateReserved": "2026-04-21T08:47:06.795Z",
"dateUpdated": "2026-06-13T03:56:06.666Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3433 (GCVE-0-2026-3433)
Vulnerability from cvelistv5 – Published: 2026-06-12 15:46 – Updated: 2026-06-12 17:19
VLAI
Title
Mattermost fails to scope role_updated websocket events to authorized team and channel members
Summary
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to restrict role_updated websocket event broadcasts to members of the affected team or channel which allows an authenticated attacker with guest-level access to observe permission scheme change notifications for private teams they are not a member of via the websocket connection.. Mattermost Advisory ID: MMSA-2026-00616
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
11.6.0 , ≤ 11.6.1
(semver)
Affected: 11.5.0 , ≤ 11.5.4 (semver) Affected: 10.11.0 , ≤ 10.11.15 (semver) Affected: 10.11.0 , ≤ 10.11.16 (semver) Unaffected: 11.7.0 Unaffected: 11.6.2 Unaffected: 11.5.5 Unaffected: 10.11.16 Unaffected: 10.11.17 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3433",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T17:19:43.952848Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T17:19:49.970Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.6.1",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.5.4",
"status": "affected",
"version": "11.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.15",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.16",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.7.0"
},
{
"status": "unaffected",
"version": "11.6.2"
},
{
"status": "unaffected",
"version": "11.5.5"
},
{
"status": "unaffected",
"version": "10.11.16"
},
{
"status": "unaffected",
"version": "10.11.17"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "0x7oda7123"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 11.6.x \u003c= 11.6.1, 11.5.x \u003c= 11.5.4, 10.11.x \u003c= 10.11.15, 10.11.x \u003c= 10.11.16 fail to restrict role_updated websocket event broadcasts to members of the affected team or channel which allows an authenticated attacker with guest-level access to observe permission scheme change notifications for private teams they are not a member of via the websocket connection.. Mattermost Advisory ID: MMSA-2026-00616"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T15:46:54.868Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00616",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.7.0, 11.6.2, 11.5.5, 10.11.16, 10.11.17 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00616",
"defect": [
"https://mattermost.atlassian.net/browse/MM-67740"
],
"discovery": "EXTERNAL"
},
"title": "Mattermost fails to scope role_updated websocket events to authorized team and channel members",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-3433",
"datePublished": "2026-06-12T15:46:54.868Z",
"dateReserved": "2026-03-02T12:48:20.745Z",
"dateUpdated": "2026-06-12T17:19:49.970Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}