Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    452 vulnerabilities

    CVE-2026-6541 (GCVE-0-2026-6541)

    Vulnerability from cvelistv5 – Published: 2026-07-13 10:53 – Updated: 2026-07-13 13:09
    VLAI
    Title
    Unscoped updates to other playbooks' metric configuration
    Summary
    Mattermost versions 11.7.x <= 11.7.1, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to restrict metric configuration changes to the playbook being saved, which allows an authenticated user with team access to alter another user’s playbook metric settings via a crafted import or update request with a foreign metric ID. Mattermost Advisory ID: MMSA-2026-00653
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    References
    URL Tags
    https://mattermost.com/security-updates vendor-advisory
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 11.7.0 , ≤ 11.7.1 (semver)
    Affected: 11.6.0 , ≤ 11.6.4 (semver)
    Affected: 10.11.0 , ≤ 10.11.19 (semver)
    Unaffected: 11.8.0
    Unaffected: 11.7.2
    Unaffected: 11.6.5
    Unaffected: 10.11.20
    Create a notification for this product.
    Credits
    hfreak_s
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6541",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-13T13:09:03.398556Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-13T13:09:10.482Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "11.7.1",
                  "status": "affected",
                  "version": "11.7.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "11.6.4",
                  "status": "affected",
                  "version": "11.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "10.11.19",
                  "status": "affected",
                  "version": "10.11.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "11.8.0"
                },
                {
                  "status": "unaffected",
                  "version": "11.7.2"
                },
                {
                  "status": "unaffected",
                  "version": "11.6.5"
                },
                {
                  "status": "unaffected",
                  "version": "10.11.20"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "hfreak_s"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Mattermost versions 11.7.x \u003c= 11.7.1, 11.6.x \u003c= 11.6.4, 10.11.x \u003c= 10.11.19 fail to restrict metric configuration changes to the playbook being saved, which allows an authenticated user with team access to alter another user\u2019s playbook metric settings via a crafted import or update request with a foreign metric ID. Mattermost Advisory ID: MMSA-2026-00653"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T10:53:15.958Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "name": "MMSA-2026-00653",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update Mattermost to versions 11.8.0, 11.7.2, 11.6.5, 10.11.20 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2026-00653",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-68371"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Unscoped updates to other playbooks\u0027 metric configuration",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2026-6541",
        "datePublished": "2026-07-13T10:53:15.958Z",
        "dateReserved": "2026-04-17T17:54:44.831Z",
        "dateUpdated": "2026-07-13T13:09:10.482Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9820 (GCVE-0-2026-9820)

    Vulnerability from cvelistv5 – Published: 2026-07-13 10:51 – Updated: 2026-07-13 13:09
    VLAI
    Title
    Mattermost schemes teams endpoint exposes private team invite IDs
    Summary
    Mattermost versions 11.7.x <= 11.7.2, 10.11.x <= 10.11.19 fail to sanitize team objects returned by the scheme teams endpoint, which allows a user with the User Manager role to obtain invite links for private teams and use them to join or share access to those teams via the scheme teams API endpoint.. Mattermost Advisory ID: MMSA-2026-00671
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://mattermost.com/security-updates vendor-advisory
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 11.7.0 , ≤ 11.7.2 (semver)
    Affected: 10.11.0 , ≤ 10.11.19 (semver)
    Unaffected: 11.8.0
    Unaffected: 11.7.3
    Unaffected: 10.11.20
    Create a notification for this product.
    Credits
    0x7oda7123
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9820",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-13T13:09:24.482863Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-13T13:09:31.383Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "11.7.2",
                  "status": "affected",
                  "version": "11.7.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "10.11.19",
                  "status": "affected",
                  "version": "10.11.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "11.8.0"
                },
                {
                  "status": "unaffected",
                  "version": "11.7.3"
                },
                {
                  "status": "unaffected",
                  "version": "10.11.20"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "0x7oda7123"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Mattermost versions 11.7.x \u003c= 11.7.2, 10.11.x \u003c= 10.11.19 fail to sanitize team objects returned by the scheme teams endpoint, which allows a user with the User Manager role to obtain invite links for private teams and use them to join or share access to those teams via the scheme teams API endpoint.. Mattermost Advisory ID: MMSA-2026-00671"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.8,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T10:51:34.023Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "name": "MMSA-2026-00671",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update Mattermost to versions 11.8.0, 11.7.3, 10.11.20 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2026-00671",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-68824"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Mattermost schemes teams endpoint exposes private team invite IDs",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2026-9820",
        "datePublished": "2026-07-13T10:51:34.023Z",
        "dateReserved": "2026-05-28T11:26:12.173Z",
        "dateUpdated": "2026-07-13T13:09:31.383Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9824 (GCVE-0-2026-9824)

    Vulnerability from cvelistv5 – Published: 2026-07-13 10:47 – Updated: 2026-07-13 13:10
    VLAI
    Title
    Remote cluster metadata enumeration via /share-channel autocomplete
    Summary
    Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to check the manage_shared_channels permission in the /share-channel autocomplete handler, which allows an authenticated user without that permission to enumerate configured remote cluster connection metadata via slash command autocomplete.. Mattermost Advisory ID: MMSA-2026-00676
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://mattermost.com/security-updates vendor-advisory
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 11.7.0 , ≤ 11.7.2 (semver)
    Affected: 11.6.0 , ≤ 11.6.4 (semver)
    Affected: 10.11.0 , ≤ 10.11.19 (semver)
    Unaffected: 11.8.0
    Unaffected: 11.7.3
    Unaffected: 11.6.5
    Unaffected: 10.11.20
    Create a notification for this product.
    Credits
    adamsec-dev
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9824",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-13T13:10:30.276593Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-13T13:10:35.463Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "11.7.2",
                  "status": "affected",
                  "version": "11.7.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "11.6.4",
                  "status": "affected",
                  "version": "11.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "10.11.19",
                  "status": "affected",
                  "version": "10.11.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "11.8.0"
                },
                {
                  "status": "unaffected",
                  "version": "11.7.3"
                },
                {
                  "status": "unaffected",
                  "version": "11.6.5"
                },
                {
                  "status": "unaffected",
                  "version": "10.11.20"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "adamsec-dev"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Mattermost versions 11.7.x \u003c= 11.7.2, 11.6.x \u003c= 11.6.4, 10.11.x \u003c= 10.11.19 fail to check the manage_shared_channels permission in the /share-channel autocomplete handler, which allows an authenticated user without that permission to enumerate configured remote cluster connection metadata via slash command autocomplete.. Mattermost Advisory ID: MMSA-2026-00676"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T10:47:33.070Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "name": "MMSA-2026-00676",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update Mattermost to versions 11.8.0, 11.7.3, 11.6.5, 10.11.20 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2026-00676",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-68827"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Remote cluster metadata enumeration via /share-channel autocomplete",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2026-9824",
        "datePublished": "2026-07-13T10:47:33.070Z",
        "dateReserved": "2026-05-28T11:32:33.594Z",
        "dateUpdated": "2026-07-13T13:10:35.463Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9597 (GCVE-0-2026-9597)

    Vulnerability from cvelistv5 – Published: 2026-07-13 08:17 – Updated: 2026-07-13 13:55
    VLAI
    Title
    Deactivated guest accounts can authenticate via magic-link token in Mattermost REST API login endpoint
    Summary
    Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4 fail to verify whether a guest account is deactivated before creating a session in the magic-link token login path, which allows a deactivated guest user to obtain a fully functional session via a magic-link token issued prior to deactivation.. Mattermost Advisory ID: MMSA-2026-00681
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-305 - – Authentication Bypass by Primary Weakness
    Assigner
    References
    URL Tags
    https://mattermost.com/security-updates vendor-advisory
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 11.7.0 , ≤ 11.7.2 (semver)
    Affected: 11.6.0 , ≤ 11.6.4 (semver)
    Unaffected: 11.8.0
    Unaffected: 11.7.3
    Unaffected: 11.6.5
    Create a notification for this product.
    Credits
    alimursaliyev
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9597",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-13T13:55:09.692643Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-13T13:55:15.448Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "11.7.2",
                  "status": "affected",
                  "version": "11.7.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "11.6.4",
                  "status": "affected",
                  "version": "11.6.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "11.8.0"
                },
                {
                  "status": "unaffected",
                  "version": "11.7.3"
                },
                {
                  "status": "unaffected",
                  "version": "11.6.5"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "alimursaliyev"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Mattermost versions 11.7.x \u003c= 11.7.2, 11.6.x \u003c= 11.6.4 fail to verify whether a guest account is deactivated before creating a session in the magic-link token login path, which allows a deactivated guest user to obtain a fully functional session via a magic-link token issued prior to deactivation.. Mattermost Advisory ID: MMSA-2026-00681"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-305",
                  "description": "CWE-305 \u2013 Authentication Bypass by Primary Weakness",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T08:17:36.717Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "name": "MMSA-2026-00681",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update Mattermost to versions 11.8.0, 11.7.3, 11.6.5 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2026-00681",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-68994"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Deactivated guest accounts can authenticate via magic-link token in Mattermost REST API login endpoint",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2026-9597",
        "datePublished": "2026-07-13T08:17:36.717Z",
        "dateReserved": "2026-05-26T15:15:14.343Z",
        "dateUpdated": "2026-07-13T13:55:15.448Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6850 (GCVE-0-2026-6850)

    Vulnerability from cvelistv5 – Published: 2026-07-13 08:13 – Updated: 2026-07-13 13:56
    VLAI
    Title
    Crafted message attachment causes client-side denial of service via markdown parser regex backtracking in Mattermost
    Summary
    Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to validate the length and content of message attachment field values, which allows an authenticated attacker to cause a denial of service for all users in a channel via a post containing a specially crafted payload that triggers catastrophic backtracking in the client-side markdown parser.. Mattermost Advisory ID: MMSA-2026-00658
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1333 - Inefficient Regular Expression Complexity
    Assigner
    References
    URL Tags
    https://mattermost.com/security-updates vendor-advisory
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 11.7.0 , ≤ 11.7.2 (semver)
    Affected: 11.6.0 , ≤ 11.6.4 (semver)
    Affected: 10.11.0 , ≤ 10.11.19 (semver)
    Unaffected: 11.8.0
    Unaffected: 11.7.3
    Unaffected: 11.6.5
    Unaffected: 10.11.20
    Create a notification for this product.
    Credits
    idr
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6850",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-13T13:56:09.905130Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-13T13:56:16.767Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "11.7.2",
                  "status": "affected",
                  "version": "11.7.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "11.6.4",
                  "status": "affected",
                  "version": "11.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "10.11.19",
                  "status": "affected",
                  "version": "10.11.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "11.8.0"
                },
                {
                  "status": "unaffected",
                  "version": "11.7.3"
                },
                {
                  "status": "unaffected",
                  "version": "11.6.5"
                },
                {
                  "status": "unaffected",
                  "version": "10.11.20"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "idr"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Mattermost versions 11.7.x \u003c= 11.7.2, 11.6.x \u003c= 11.6.4, 10.11.x \u003c= 10.11.19 fail to validate the length and content of message attachment field values, which allows an authenticated attacker to cause a denial of service for all users in a channel via a post containing a specially crafted payload that triggers catastrophic backtracking in the client-side markdown parser.. Mattermost Advisory ID: MMSA-2026-00658"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1333",
                  "description": "CWE-1333: Inefficient Regular Expression Complexity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T08:13:02.883Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "name": "MMSA-2026-00658",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update Mattermost to versions 11.8.0, 11.7.3, 11.6.5, 10.11.20 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2026-00658",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-68424"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Crafted message attachment causes client-side denial of service via markdown parser regex backtracking in Mattermost",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2026-6850",
        "datePublished": "2026-07-13T08:13:02.883Z",
        "dateReserved": "2026-04-22T10:05:15.625Z",
        "dateUpdated": "2026-07-13T13:56:16.767Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-10106 (GCVE-0-2026-10106)

    Vulnerability from cvelistv5 – Published: 2026-07-13 08:09 – Updated: 2026-07-13 13:56
    VLAI
    Title
    Unauthorized users can trigger interactive post actions in private channels via action cookie channel mismatch in Mattermost
    Summary
    Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to verify that the channel referenced in an action cookie matches the channel of the target post, which allows an authenticated user without access to a private channel to trigger interactive post actions on posts in that channel via a cookie obtained from any accessible channel.. Mattermost Advisory ID: MMSA-2026-00690
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    References
    URL Tags
    https://mattermost.com/security-updates vendor-advisory
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 11.7.0 , ≤ 11.7.2 (semver)
    Affected: 11.6.0 , ≤ 11.6.4 (semver)
    Affected: 10.11.0 , ≤ 10.11.19 (semver)
    Unaffected: 11.8.0
    Unaffected: 11.7.3
    Unaffected: 11.6.5
    Unaffected: 10.11.20
    Create a notification for this product.
    Credits
    minghseinyuc86595
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-10106",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-13T13:56:34.893294Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-13T13:56:41.047Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "11.7.2",
                  "status": "affected",
                  "version": "11.7.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "11.6.4",
                  "status": "affected",
                  "version": "11.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "10.11.19",
                  "status": "affected",
                  "version": "10.11.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "11.8.0"
                },
                {
                  "status": "unaffected",
                  "version": "11.7.3"
                },
                {
                  "status": "unaffected",
                  "version": "11.6.5"
                },
                {
                  "status": "unaffected",
                  "version": "10.11.20"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "minghseinyuc86595"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Mattermost versions 11.7.x \u003c= 11.7.2, 11.6.x \u003c= 11.6.4, 10.11.x \u003c= 10.11.19 fail to verify that the channel referenced in an action cookie matches the channel of the target post, which allows an authenticated user without access to a private channel to trigger interactive post actions on posts in that channel via a cookie obtained from any accessible channel.. Mattermost Advisory ID: MMSA-2026-00690"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T08:09:58.717Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "name": "MMSA-2026-00690",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update Mattermost to versions 11.8.0, 11.7.3, 11.6.5, 10.11.20 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2026-00690",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-69059"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Unauthorized users can trigger interactive post actions in private channels via action cookie channel mismatch in Mattermost",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2026-10106",
        "datePublished": "2026-07-13T08:09:58.717Z",
        "dateReserved": "2026-05-29T16:06:43.719Z",
        "dateUpdated": "2026-07-13T13:56:41.047Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-10085 (GCVE-0-2026-10085)

    Vulnerability from cvelistv5 – Published: 2026-07-13 08:05 – Updated: 2026-07-13 13:57
    VLAI
    Title
    Ordinary group/direct message member can enable group_constrained and remove all channel participants
    Summary
    Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to restrict the group_constrained channel flag to public and private channels that support group synchronization, which allows an ordinary group or direct message member to remove all participants from the conversation via the channel patch API.. Mattermost Advisory ID: MMSA-2026-00688
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://mattermost.com/security-updates vendor-advisory
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 11.7.0 , ≤ 11.7.2 (semver)
    Affected: 11.6.0 , ≤ 11.6.4 (semver)
    Affected: 10.11.0 , ≤ 10.11.19 (semver)
    Unaffected: 11.8.0
    Unaffected: 11.7.3
    Unaffected: 11.6.5
    Unaffected: 10.11.20
    Create a notification for this product.
    Credits
    se1en
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-10085",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-13T13:56:53.842683Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-13T13:57:00.893Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "11.7.2",
                  "status": "affected",
                  "version": "11.7.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "11.6.4",
                  "status": "affected",
                  "version": "11.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "10.11.19",
                  "status": "affected",
                  "version": "10.11.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "11.8.0"
                },
                {
                  "status": "unaffected",
                  "version": "11.7.3"
                },
                {
                  "status": "unaffected",
                  "version": "11.6.5"
                },
                {
                  "status": "unaffected",
                  "version": "10.11.20"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "se1en"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Mattermost versions 11.7.x \u003c= 11.7.2, 11.6.x \u003c= 11.6.4, 10.11.x \u003c= 10.11.19 fail to restrict the group_constrained channel flag to public and private channels that support group synchronization, which allows an ordinary group or direct message member to remove all participants from the conversation via the channel patch API.. Mattermost Advisory ID: MMSA-2026-00688"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T08:05:42.370Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "name": "MMSA-2026-00688",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update Mattermost to versions 11.8.0, 11.7.3, 11.6.5, 10.11.20 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2026-00688",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-69050"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Ordinary group/direct message member can enable group_constrained and remove all channel participants",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2026-10085",
        "datePublished": "2026-07-13T08:05:42.370Z",
        "dateReserved": "2026-05-29T11:54:45.722Z",
        "dateUpdated": "2026-07-13T13:57:00.893Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9708 (GCVE-0-2026-9708)

    Vulnerability from cvelistv5 – Published: 2026-07-13 08:00 – Updated: 2026-07-13 14:45
    VLAI
    Title
    Incoming webhook user attribution via unvalidated webhook owner
    Summary
    Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to validate that an assigned incoming webhook user has access to the target team or channel, which allows a requester with webhook management permissions to create posts or direct messages attributed to another user via crafted incoming webhook configuration and payloads.. Mattermost Advisory ID: MMSA-2026-00683
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    References
    URL Tags
    https://mattermost.com/security-updates vendor-advisory
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 11.7.0 , ≤ 11.7.2 (semver)
    Affected: 11.6.0 , ≤ 11.6.4 (semver)
    Affected: 10.11.0 , ≤ 10.11.19 (semver)
    Unaffected: 11.8.0
    Unaffected: 11.7.3
    Unaffected: 11.6.5
    Unaffected: 10.11.20
    Create a notification for this product.
    Credits
    arang
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9708",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-13T14:44:57.510921Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-13T14:45:16.207Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "11.7.2",
                  "status": "affected",
                  "version": "11.7.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "11.6.4",
                  "status": "affected",
                  "version": "11.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "10.11.19",
                  "status": "affected",
                  "version": "10.11.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "11.8.0"
                },
                {
                  "status": "unaffected",
                  "version": "11.7.3"
                },
                {
                  "status": "unaffected",
                  "version": "11.6.5"
                },
                {
                  "status": "unaffected",
                  "version": "10.11.20"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "arang"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Mattermost versions 11.7.x \u003c= 11.7.2, 11.6.x \u003c= 11.6.4, 10.11.x \u003c= 10.11.19 fail to validate that an assigned incoming webhook user has access to the target team or channel, which allows a requester with webhook management permissions to create posts or direct messages attributed to another user via crafted incoming webhook configuration and payloads.. Mattermost Advisory ID: MMSA-2026-00683"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T08:00:10.707Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "name": "MMSA-2026-00683",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update Mattermost to versions 11.8.0, 11.7.3, 11.6.5, 10.11.20 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2026-00683",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-69009"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Incoming webhook user attribution via unvalidated webhook owner",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2026-9708",
        "datePublished": "2026-07-13T08:00:10.707Z",
        "dateReserved": "2026-05-27T13:46:27.399Z",
        "dateUpdated": "2026-07-13T14:45:16.207Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-10103 (GCVE-0-2026-10103)

    Vulnerability from cvelistv5 – Published: 2026-07-13 07:57 – Updated: 2026-07-14 14:32
    VLAI
    Title
    Authenticated remote cluster can modify or delete posts it does not own in Mattermost Connected Workspaces shared channels
    Summary
    Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to verify post ownership in the shared channel inbound sync handler, which allows an authenticated remote cluster to modify or delete posts authored by local users or other remotes via crafted sync messages referencing arbitrary post IDs in channels shared with that remote.. Mattermost Advisory ID: MMSA-2026-00689
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    References
    URL Tags
    https://mattermost.com/security-updates vendor-advisory
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 11.7.0 , ≤ 11.7.2 (semver)
    Affected: 11.6.0 , ≤ 11.6.4 (semver)
    Affected: 10.11.0 , ≤ 10.11.19 (semver)
    Unaffected: 11.8.0
    Unaffected: 11.7.3
    Unaffected: 11.6.5
    Unaffected: 10.11.20
    Create a notification for this product.
    Credits
    ratrarity
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-10103",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-14T14:18:49.512657Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-14T14:32:32.714Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "11.7.2",
                  "status": "affected",
                  "version": "11.7.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "11.6.4",
                  "status": "affected",
                  "version": "11.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "10.11.19",
                  "status": "affected",
                  "version": "10.11.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "11.8.0"
                },
                {
                  "status": "unaffected",
                  "version": "11.7.3"
                },
                {
                  "status": "unaffected",
                  "version": "11.6.5"
                },
                {
                  "status": "unaffected",
                  "version": "10.11.20"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "ratrarity"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Mattermost versions 11.7.x \u003c= 11.7.2, 11.6.x \u003c= 11.6.4, 10.11.x \u003c= 10.11.19 fail to verify post ownership in the shared channel inbound sync handler, which allows an authenticated remote cluster to modify or delete posts authored by local users or other remotes via crafted sync messages referencing arbitrary post IDs in channels shared with that remote.. Mattermost Advisory ID: MMSA-2026-00689"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T07:57:11.062Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "name": "MMSA-2026-00689",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update Mattermost to versions 11.8.0, 11.7.3, 11.6.5, 10.11.20 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2026-00689",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-69056"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Authenticated remote cluster can modify or delete posts it does not own in Mattermost Connected Workspaces shared channels",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2026-10103",
        "datePublished": "2026-07-13T07:57:11.062Z",
        "dateReserved": "2026-05-29T15:37:04.097Z",
        "dateUpdated": "2026-07-14T14:32:32.714Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9571 (GCVE-0-2026-9571)

    Vulnerability from cvelistv5 – Published: 2026-07-13 07:50 – Updated: 2026-07-14 14:32
    VLAI
    Title
    Deactivated user accounts can continue to obtain valid OAuth access tokens via refresh token grant in Mattermost
    Summary
    Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to invalidate OAuth refresh tokens upon user account deactivation, which allows a deactivated user or an attacker in possession of a valid refresh token to obtain new functional access tokens via the OAuth refresh token grant endpoint.. Mattermost Advisory ID: MMSA-2026-00680
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-305 - – Authentication Bypass by Primary Weakness
    Assigner
    References
    URL Tags
    https://mattermost.com/security-updates vendor-advisory
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 11.7.0 , ≤ 11.7.2 (semver)
    Affected: 11.6.0 , ≤ 11.6.4 (semver)
    Affected: 10.11.0 , ≤ 10.11.19 (semver)
    Unaffected: 11.8.0
    Unaffected: 11.7.3
    Unaffected: 11.6.5
    Unaffected: 10.11.20
    Create a notification for this product.
    Credits
    kirs112
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9571",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-14T14:27:12.375296Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-14T14:32:51.829Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "11.7.2",
                  "status": "affected",
                  "version": "11.7.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "11.6.4",
                  "status": "affected",
                  "version": "11.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "10.11.19",
                  "status": "affected",
                  "version": "10.11.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "11.8.0"
                },
                {
                  "status": "unaffected",
                  "version": "11.7.3"
                },
                {
                  "status": "unaffected",
                  "version": "11.6.5"
                },
                {
                  "status": "unaffected",
                  "version": "10.11.20"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "kirs112"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Mattermost versions 11.7.x \u003c= 11.7.2, 11.6.x \u003c= 11.6.4, 10.11.x \u003c= 10.11.19 fail to invalidate OAuth refresh tokens upon user account deactivation, which allows a deactivated user or an attacker in possession of a valid refresh token to obtain new functional access tokens via the OAuth refresh token grant endpoint.. Mattermost Advisory ID: MMSA-2026-00680"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-305",
                  "description": "CWE-305 \u2013 Authentication Bypass by Primary Weakness",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T07:50:55.793Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "name": "MMSA-2026-00680",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update Mattermost to versions 11.8.0, 11.7.3, 11.6.5, 10.11.20 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2026-00680",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-68982"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Deactivated user accounts can continue to obtain valid OAuth access tokens via refresh token grant in Mattermost",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2026-9571",
        "datePublished": "2026-07-13T07:50:55.793Z",
        "dateReserved": "2026-05-26T11:52:27.228Z",
        "dateUpdated": "2026-07-14T14:32:51.829Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-4339 (GCVE-0-2026-4339)

    Vulnerability from cvelistv5 – Published: 2026-06-26 14:44 – Updated: 2026-06-26 15:40
    VLAI
    Title
    SSRF via unvalidated attachment URLs in Mattermost Agents plugin MCP server
    Summary
    Mattermost versions 10.11.x <= 10.11.18, 11.6.x <= 11.6.3, 11.5.x <= 11.5.6 fail to validate attachment URLs against internal or private IP ranges in the Mattermost Agents plugin MCP server which allows an attacker with access to the MCP server in stdio mode to perform server-side request forgery (SSRF) and exfiltrate data from internal network services via supplying internal URLs as file attachments in post creation requests.. Mattermost Advisory ID: MMSA-2026-00635
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    References
    URL Tags
    https://mattermost.com/security-updates vendor-advisory
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 10.11.0 , ≤ 10.11.18 (semver)
    Affected: 11.6.0 , ≤ 11.6.3 (semver)
    Affected: 11.5.0 , ≤ 11.5.6 (semver)
    Unaffected: 11.7.0
    Unaffected: 10.11.19
    Unaffected: 11.6.4
    Unaffected: 11.5.7
    Create a notification for this product.
    Credits
    s00me00ne
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-4339",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T15:40:26.600436Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T15:40:33.300Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "10.11.18",
                  "status": "affected",
                  "version": "10.11.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "11.6.3",
                  "status": "affected",
                  "version": "11.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "11.5.6",
                  "status": "affected",
                  "version": "11.5.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "11.7.0"
                },
                {
                  "status": "unaffected",
                  "version": "10.11.19"
                },
                {
                  "status": "unaffected",
                  "version": "11.6.4"
                },
                {
                  "status": "unaffected",
                  "version": "11.5.7"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "s00me00ne"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Mattermost versions 10.11.x \u003c= 10.11.18, 11.6.x \u003c= 11.6.3, 11.5.x \u003c= 11.5.6 fail to validate attachment URLs against internal or private IP ranges in the Mattermost Agents plugin MCP server which allows an attacker with access to the MCP server in stdio mode to perform server-side request forgery (SSRF) and exfiltrate data from internal network services via supplying internal URLs as file attachments in post creation requests.. Mattermost Advisory ID: MMSA-2026-00635"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918: Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T14:44:58.655Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "name": "MMSA-2026-00635",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update Mattermost to versions 11.7.0, 10.11.19, 11.6.4, 11.5.7 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2026-00635",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-67950"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "SSRF via unvalidated attachment URLs in Mattermost Agents plugin MCP server",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2026-4339",
        "datePublished": "2026-06-26T14:44:58.655Z",
        "dateReserved": "2026-03-17T14:57:10.575Z",
        "dateUpdated": "2026-06-26T15:40:33.300Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9699 (GCVE-0-2026-9699)

    Vulnerability from cvelistv5 – Published: 2026-06-26 14:43 – Updated: 2026-06-26 15:40
    VLAI
    Title
    Mattermost Agents plugin logs unsanitized OpenAI API keys on authentication errors
    Summary
    Mattermost Plugins versions <=11.6 10.18.11 11.3.6 11.6.5.0 fail to sanitize error responses from the OpenAI API before logging, which allows a user with access to server logs or support packets to obtain a valid or partially reconstructable OpenAI API key via inspection of mattermost.log entries generated during authentication failures. Mattermost Advisory ID: MMSA-2026-00609
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-532 - Insertion of Sensitive Information into Log Files
    Assigner
    References
    URL Tags
    https://mattermost.com/security-updates vendor-advisory
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 0 , ≤ 10.18.11 (semver)
    Affected: 0 , ≤ 11.3.6 (semver)
    Affected: 0 , ≤ 11.6.5 (semver)
    Unaffected: 11.7.0
    Unaffected: 10.11.19
    Unaffected: 11.6.4
    Unaffected: 11.5.7
    Create a notification for this product.
    Credits
    Edgar Bellot Micó
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9699",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T15:40:45.502984Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T15:40:52.251Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "10.18.11",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "11.3.6",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "11.6.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "11.7.0"
                },
                {
                  "status": "unaffected",
                  "version": "10.11.19"
                },
                {
                  "status": "unaffected",
                  "version": "11.6.4"
                },
                {
                  "status": "unaffected",
                  "version": "11.5.7"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Edgar Bellot Mic\u00f3"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Mattermost Plugins versions \u003c=11.6 10.18.11 11.3.6 11.6.5.0 fail to sanitize error responses from the OpenAI API before logging, which allows a user with access to server logs or support packets to obtain a valid or partially reconstructable OpenAI API key via inspection of mattermost.log entries generated during authentication failures. Mattermost Advisory ID: MMSA-2026-00609"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-532",
                  "description": "CWE-532: Insertion of Sensitive Information into Log Files",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T14:43:51.702Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "name": "MMSA-2026-00609",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update Mattermost Plugins to versions 11.7.0, 10.11.19, 11.6.4, 11.5.7 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2026-00609",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-67547"
            ],
            "discovery": "{\"self\"=\u003e\"https://mattermost.atlassian.net/rest/api/2/customFieldOption/10557\", \"value\"=\u003e\"Internal\", \"id\"=\u003e\"10557\"}"
          },
          "title": "Mattermost Agents plugin logs unsanitized OpenAI API keys on authentication errors",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2026-9699",
        "datePublished": "2026-06-26T14:43:51.702Z",
        "dateReserved": "2026-05-27T12:08:53.502Z",
        "dateUpdated": "2026-06-26T15:40:52.251Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-3472 (GCVE-0-2026-3472)

    Vulnerability from cvelistv5 – Published: 2026-06-26 14:42 – Updated: 2026-06-26 15:41
    VLAI
    Title
    Markdown image rendering bypass in AI bot tool result posts in Mattermost
    Summary
    Mattermost versions 10.11.x <= 10.11.18, 11.6.x <= 11.6.3, 11.5.x <= 11.5.6 fail to properly apply markdown image rendering restrictions to AI bot tool result posts, which allows an authenticated attacker to exfiltrate data to an attacker-controlled server via injecting markdown image syntax into tool result content rendered by a victim's client.. Mattermost Advisory ID: MMSA-2026-00619
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-693 - Protection Mechanism Failure
    Assigner
    References
    URL Tags
    https://mattermost.com/security-updates vendor-advisory
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 10.11.0 , ≤ 10.11.18 (semver)
    Affected: 11.6.0 , ≤ 11.6.3 (semver)
    Affected: 11.5.0 , ≤ 11.5.6 (semver)
    Unaffected: 11.7.0
    Unaffected: 10.11.19
    Unaffected: 11.6.4
    Unaffected: 11.5.7
    Create a notification for this product.
    Credits
    Juho Forsén
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-3472",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T15:41:02.864491Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T15:41:09.780Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "10.11.18",
                  "status": "affected",
                  "version": "10.11.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "11.6.3",
                  "status": "affected",
                  "version": "11.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "11.5.6",
                  "status": "affected",
                  "version": "11.5.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "11.7.0"
                },
                {
                  "status": "unaffected",
                  "version": "10.11.19"
                },
                {
                  "status": "unaffected",
                  "version": "11.6.4"
                },
                {
                  "status": "unaffected",
                  "version": "11.5.7"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Juho Fors\u00e9n"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Mattermost versions 10.11.x \u003c= 10.11.18, 11.6.x \u003c= 11.6.3, 11.5.x \u003c= 11.5.6 fail to properly apply markdown image rendering restrictions to AI bot tool result posts, which allows an authenticated attacker to exfiltrate data to an attacker-controlled server via injecting markdown image syntax into tool result content rendered by a victim\u0027s client.. Mattermost Advisory ID: MMSA-2026-00619"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-693",
                  "description": "CWE-693: Protection Mechanism Failure",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T14:42:24.154Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "name": "MMSA-2026-00619",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update Mattermost to versions 11.7.0, 10.11.19, 11.6.4, 11.5.7 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2026-00619",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-67751"
            ],
            "discovery": "{\"self\"=\u003e\"https://mattermost.atlassian.net/rest/api/2/customFieldOption/10557\", \"value\"=\u003e\"Internal\", \"id\"=\u003e\"10557\"}"
          },
          "title": "Markdown image rendering bypass in AI bot tool result posts in Mattermost",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2026-3472",
        "datePublished": "2026-06-26T14:42:24.154Z",
        "dateReserved": "2026-03-03T11:25:53.785Z",
        "dateUpdated": "2026-06-26T15:41:09.780Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-13426 (GCVE-0-2026-13426)

    Vulnerability from cvelistv5 – Published: 2026-06-26 13:47 – Updated: 2026-06-26 14:39
    VLAI
    Title
    Client4 fails to validate path parameters
    Summary
    The Mattermost Go module github.com/mattermost/mattermost/server/public versions < v0.1.22 fail to validate path parameters when constructing API route paths which allows an attacker to redirect API calls to unintended endpoints via crafted IDs containing path traversal components. Mattermost Advisory ID: MMSA-2025-00532
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    References
    URL Tags
    https://mattermost.com/security-updates vendor-advisory
    Impacted products
    Vendor Product Version
    Mattermost github.com/mattermost/mattermost/server/public Affected: v0.0.0 , < v0.1.22 (semver)
    Unaffected: v0.1.22
    Create a notification for this product.
    Credits
    Juho Forsén
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-13426",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T14:38:53.805003Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T14:39:00.126Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "github.com/mattermost/mattermost/server/public",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThan": "v0.1.22",
                  "status": "affected",
                  "version": "v0.0.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "v0.1.22"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Juho Fors\u00e9n"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Mattermost Go module github.com/mattermost/mattermost/server/public versions \u003c v0.1.22 fail to validate path parameters when constructing API route paths which allows an attacker to redirect API calls to unintended endpoints via crafted IDs containing path traversal components. Mattermost Advisory ID: MMSA-2025-00532"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T13:47:10.090Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "name": "MMSA-2025-00532",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update the github.com/mattermost/mattermost/server/public module to v0.1.22 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2025-00532",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-65969"
            ],
            "discovery": "{\"self\"=\u003e\"https://mattermost.atlassian.net/rest/api/2/customFieldOption/10557\", \"value\"=\u003e\"Internal\", \"id\"=\u003e\"10557\"}"
          },
          "title": "Client4 fails to validate path parameters"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2026-13426",
        "datePublished": "2026-06-26T13:47:10.090Z",
        "dateReserved": "2026-06-26T13:32:10.276Z",
        "dateUpdated": "2026-06-26T14:39:00.126Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-2299 (GCVE-0-2026-2299)

    Vulnerability from cvelistv5 – Published: 2026-06-25 18:55 – Updated: 2026-06-26 14:05
    VLAI
    Title
    Improper Access Control in Mattermost Google Drive Plugin File Creation Endpoint
    Summary
    The Mattermost Google Drive plugin before version 1.1.0 fails to validate channel membership in the file creation endpoint, allowing authenticated users with a connected Google account to share Google Drive files to unauthorized private channels and disclose private channel membership.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Google Drive Plugin Affected: 0 , ≤ 1.0.0 (semver)
    Unaffected: 1.1.0
    Create a notification for this product.
    Credits
    Lorenzo Gallegos
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-2299",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T14:04:57.007408Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T14:05:09.476Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost Google Drive Plugin",
              "repo": "https://github.com/mattermost/mattermost-plugin-google-drive",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "1.0.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "1.1.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Lorenzo Gallegos"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The Mattermost Google Drive plugin before version 1.1.0 fails to validate channel membership in the file creation endpoint, allowing authenticated users with a connected Google account to share Google Drive files to unauthorized private channels and disclose private channel membership."
                }
              ],
              "value": "The Mattermost Google Drive plugin before version 1.1.0 fails to validate channel membership in the file creation endpoint, allowing authenticated users with a connected Google account to share Google Drive files to unauthorized private channels and disclose private channel membership."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T18:55:11.905Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "url": "https://github.com/mattermost/mattermost-plugin-google-drive/releases/tag/v1.1.0"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUpdate Mattermost Google Drive plugin to version 1.1.0 or higher.\u003c/p\u003e"
                }
              ],
              "value": "Update Mattermost Google Drive plugin to version 1.1.0 or higher."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Improper Access Control in Mattermost Google Drive Plugin File Creation Endpoint",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2026-2299",
        "datePublished": "2026-06-25T18:55:11.905Z",
        "dateReserved": "2026-02-10T16:46:56.322Z",
        "dateUpdated": "2026-06-26T14:05:09.476Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-8823 (GCVE-0-2026-8823)

    Vulnerability from cvelistv5 – Published: 2026-06-22 13:41 – Updated: 2026-06-22 16:12
    VLAI
    Title
    User Manager can demote bot accounts to guest without bot-management permission
    Summary
    Mattermost versions 11.7.x <= 11.7.0, 10.11.x <= 10.11.17 fail to validate bot targets when demoting users to guests which allows a lower-privileged administrator to degrade arbitrary bot accounts via the standard demote-user API.. Mattermost Advisory ID: MMSA-2026-00669
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    References
    URL Tags
    https://mattermost.com/security-updates vendor-advisory
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 11.7.0 , ≤ 11.7.0 (semver)
    Affected: 10.11.0 , ≤ 10.11.17 (semver)
    Unaffected: 11.8.0
    Unaffected: 11.7.1
    Unaffected: 10.11.18
    Create a notification for this product.
    Credits
    Edgar Bellot Micó
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8823",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T16:12:21.701325Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T16:12:31.350Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "11.7.0",
                  "status": "affected",
                  "version": "11.7.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "10.11.17",
                  "status": "affected",
                  "version": "10.11.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "11.8.0"
                },
                {
                  "status": "unaffected",
                  "version": "11.7.1"
                },
                {
                  "status": "unaffected",
                  "version": "10.11.18"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Edgar Bellot Mic\u00f3"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Mattermost versions 11.7.x \u003c= 11.7.0, 10.11.x \u003c= 10.11.17 fail to validate bot targets when demoting users to guests which allows a lower-privileged administrator to degrade arbitrary bot accounts via the standard demote-user API.. Mattermost Advisory ID: MMSA-2026-00669"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 3.8,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T13:41:28.404Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "name": "MMSA-2026-00669",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update Mattermost to versions 11.8.0, 11.7.1, 10.11.18 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2026-00669",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-68700"
            ],
            "discovery": "{\"self\"=\u003e\"https://mattermost.atlassian.net/rest/api/2/customFieldOption/10557\", \"value\"=\u003e\"Internal\", \"id\"=\u003e\"10557\"}"
          },
          "title": "User Manager can demote bot accounts to guest without bot-management permission",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2026-8823",
        "datePublished": "2026-06-22T13:41:28.404Z",
        "dateReserved": "2026-05-18T10:05:31.691Z",
        "dateUpdated": "2026-06-22T16:12:31.350Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6062 (GCVE-0-2026-6062)

    Vulnerability from cvelistv5 – Published: 2026-06-22 13:40 – Updated: 2026-06-22 15:41
    VLAI
    Title
    IDOR in Jira plugin subscription edit endpoint
    Summary
    Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 Fail to validate channel ownership of an existing subscription before applying edits which allows an authenticated attacker to hijack subscriptions from channels they have no access to via a crafted PUT request to the subscription edit endpoint.. Mattermost Advisory ID: MMSA-2026-00650
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    References
    URL Tags
    https://mattermost.com/security-updates vendor-advisory
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 11.7.0 , ≤ 11.7.0 (semver)
    Affected: 11.6.0 , ≤ 11.6.2 (semver)
    Affected: 11.5.0 , ≤ 11.5.5 (semver)
    Affected: 10.11.0 , ≤ 10.11.17 (semver)
    Unaffected: 11.8.0
    Unaffected: 11.7.1
    Unaffected: 11.6.3
    Unaffected: 11.5.6
    Unaffected: 10.11.18
    Create a notification for this product.
    Credits
    0hmz
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6062",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T15:41:30.282800Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T15:41:48.877Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "11.7.0",
                  "status": "affected",
                  "version": "11.7.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "11.6.2",
                  "status": "affected",
                  "version": "11.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "11.5.5",
                  "status": "affected",
                  "version": "11.5.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "10.11.17",
                  "status": "affected",
                  "version": "10.11.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "11.8.0"
                },
                {
                  "status": "unaffected",
                  "version": "11.7.1"
                },
                {
                  "status": "unaffected",
                  "version": "11.6.3"
                },
                {
                  "status": "unaffected",
                  "version": "11.5.6"
                },
                {
                  "status": "unaffected",
                  "version": "10.11.18"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "0hmz"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Mattermost versions 11.7.x \u003c= 11.7.0, 11.6.x \u003c= 11.6.2, 11.5.x \u003c= 11.5.5, 10.11.x \u003c= 10.11.17 Fail to validate channel ownership of an existing subscription before applying edits which allows an authenticated attacker to hijack subscriptions from channels they have no access to via a crafted PUT request to the subscription edit endpoint.. Mattermost Advisory ID: MMSA-2026-00650"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T13:40:07.776Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "name": "MMSA-2026-00650",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update Mattermost to versions 11.8.0, 11.7.1, 11.6.3, 11.5.6, 10.11.18 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2026-00650",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-68271"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "IDOR in Jira plugin subscription edit endpoint",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2026-6062",
        "datePublished": "2026-06-22T13:40:07.776Z",
        "dateReserved": "2026-04-10T10:57:59.278Z",
        "dateUpdated": "2026-06-22T15:41:48.877Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6673 (GCVE-0-2026-6673)

    Vulnerability from cvelistv5 – Published: 2026-06-22 13:38 – Updated: 2026-06-22 15:41
    VLAI
    Title
    Mattermost Jira plugin had unauthenticated {{/ac/installed}} lifecycle callback during pending Jira Cloud install
    Summary
    Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to authenticate Atlassian Connect installed callbacks, allowing a remote unauthenticated attacker to inject a rogue sharedSecret and disrupt the Jira integration via POST to /ac/installed during the pending-install window.. Mattermost Advisory ID: MMSA-2026-00654
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-306 - Missing Authentication for Critical Function
    Assigner
    References
    URL Tags
    https://mattermost.com/security-updates vendor-advisory
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 11.7.0 , ≤ 11.7.0 (semver)
    Affected: 11.6.0 , ≤ 11.6.2 (semver)
    Affected: 11.5.0 , ≤ 11.5.5 (semver)
    Affected: 10.11.0 , ≤ 10.11.17 (semver)
    Unaffected: 11.8.0
    Unaffected: 11.7.1
    Unaffected: 11.6.3
    Unaffected: 11.5.6
    Unaffected: 10.11.18
    Create a notification for this product.
    Credits
    insomnia1102
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6673",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T15:40:53.578692Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T15:41:08.511Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "11.7.0",
                  "status": "affected",
                  "version": "11.7.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "11.6.2",
                  "status": "affected",
                  "version": "11.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "11.5.5",
                  "status": "affected",
                  "version": "11.5.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "10.11.17",
                  "status": "affected",
                  "version": "10.11.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "11.8.0"
                },
                {
                  "status": "unaffected",
                  "version": "11.7.1"
                },
                {
                  "status": "unaffected",
                  "version": "11.6.3"
                },
                {
                  "status": "unaffected",
                  "version": "11.5.6"
                },
                {
                  "status": "unaffected",
                  "version": "10.11.18"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "insomnia1102"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Mattermost versions 11.7.x \u003c= 11.7.0, 11.6.x \u003c= 11.6.2, 11.5.x \u003c= 11.5.5, 10.11.x \u003c= 10.11.17 fail to authenticate Atlassian Connect installed callbacks, allowing a remote unauthenticated attacker to inject a rogue sharedSecret and disrupt the Jira integration via POST to /ac/installed during the pending-install window.. Mattermost Advisory ID: MMSA-2026-00654"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "CWE-306: Missing Authentication for Critical Function",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T13:38:56.594Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "name": "MMSA-2026-00654",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update Mattermost to versions 11.8.0, 11.7.1, 11.6.3, 11.5.6, 10.11.18 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2026-00654",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-68376"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Mattermost Jira plugin had unauthenticated {{/ac/installed}} lifecycle callback during pending Jira Cloud install",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2026-6673",
        "datePublished": "2026-06-22T13:38:56.594Z",
        "dateReserved": "2026-04-20T13:45:33.430Z",
        "dateUpdated": "2026-06-22T15:41:08.511Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-8074 (GCVE-0-2026-8074)

    Vulnerability from cvelistv5 – Published: 2026-06-22 13:37 – Updated: 2026-06-22 15:40
    VLAI
    Title
    Improper Permission Check Allows User Manager to Deactivate Bot Accounts
    Summary
    Mattermost versions 11.7.x <= 11.7.0, 10.11.x <= 10.11.17 fail to enforce bot-specific permission checks on the user active status endpoint, which allows a User Manager with user management write access but no Integrations access to deactivate bot accounts via the PUT /api/v4/users/{id}/active API endpoint.. Mattermost Advisory ID: MMSA-2026-00667
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    References
    URL Tags
    https://mattermost.com/security-updates vendor-advisory
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 11.7.0 , ≤ 11.7.0 (semver)
    Affected: 10.11.0 , ≤ 10.11.17 (semver)
    Unaffected: 11.8.0
    Unaffected: 11.7.1
    Unaffected: 10.11.18
    Create a notification for this product.
    Credits
    hackit_bharat
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8074",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T15:40:23.411921Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T15:40:37.392Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "11.7.0",
                  "status": "affected",
                  "version": "11.7.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "10.11.17",
                  "status": "affected",
                  "version": "10.11.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "11.8.0"
                },
                {
                  "status": "unaffected",
                  "version": "11.7.1"
                },
                {
                  "status": "unaffected",
                  "version": "10.11.18"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "hackit_bharat"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Mattermost versions 11.7.x \u003c= 11.7.0, 10.11.x \u003c= 10.11.17 fail to enforce bot-specific permission checks on the user active status endpoint, which allows a User Manager with user management write access but no Integrations access to deactivate bot accounts via the PUT /api/v4/users/{id}/active API endpoint.. Mattermost Advisory ID: MMSA-2026-00667"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 3.8,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T13:37:44.617Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "name": "MMSA-2026-00667",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update Mattermost to versions 11.8.0, 11.7.1, 10.11.18 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2026-00667",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-68685"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Improper Permission Check Allows User Manager to Deactivate Bot Accounts",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2026-8074",
        "datePublished": "2026-06-22T13:37:44.617Z",
        "dateReserved": "2026-05-07T10:55:28.977Z",
        "dateUpdated": "2026-06-22T15:40:37.392Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9162 (GCVE-0-2026-9162)

    Vulnerability from cvelistv5 – Published: 2026-06-22 13:36 – Updated: 2026-06-22 15:40
    VLAI
    Title
    Global session revocation does not invalidate active WebSocket connections
    Summary
    Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to invalidate cached authentication state for active WebSocket connections during global session revocation, which allows a user with an existing WebSocket connection to remain authenticated and continue receiving real-time events until the cached session expires or the client reconnects.. Mattermost Advisory ID: MMSA-2026-00664
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-613 - Insufficient Session Expiration
    Assigner
    References
    URL Tags
    https://mattermost.com/security-updates vendor-advisory
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 11.7.0 , ≤ 11.7.0 (semver)
    Affected: 11.6.0 , ≤ 11.6.2 (semver)
    Affected: 11.5.0 , ≤ 11.5.5 (semver)
    Affected: 10.11.0 , ≤ 10.11.17 (semver)
    Unaffected: 11.8.0
    Unaffected: 11.7.1
    Unaffected: 11.6.3
    Unaffected: 11.5.6
    Unaffected: 10.11.18
    Create a notification for this product.
    Credits
    winfunc
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9162",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T15:39:54.095237Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T15:40:07.851Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "11.7.0",
                  "status": "affected",
                  "version": "11.7.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "11.6.2",
                  "status": "affected",
                  "version": "11.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "11.5.5",
                  "status": "affected",
                  "version": "11.5.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "10.11.17",
                  "status": "affected",
                  "version": "10.11.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "11.8.0"
                },
                {
                  "status": "unaffected",
                  "version": "11.7.1"
                },
                {
                  "status": "unaffected",
                  "version": "11.6.3"
                },
                {
                  "status": "unaffected",
                  "version": "11.5.6"
                },
                {
                  "status": "unaffected",
                  "version": "10.11.18"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "winfunc"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Mattermost versions 11.7.x \u003c= 11.7.0, 11.6.x \u003c= 11.6.2, 11.5.x \u003c= 11.5.5, 10.11.x \u003c= 10.11.17 fail to invalidate cached authentication state for active WebSocket connections during global session revocation, which allows a user with an existing WebSocket connection to remain authenticated and continue receiving real-time events until the cached session expires or the client reconnects.. Mattermost Advisory ID: MMSA-2026-00664"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-613",
                  "description": "CWE-613: Insufficient Session Expiration",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T13:36:43.998Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "name": "MMSA-2026-00664",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update Mattermost to versions 11.8.0, 11.7.1, 11.6.3, 11.5.6, 10.11.18 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2026-00664",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-68542"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Global session revocation does not invalidate active WebSocket connections",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2026-9162",
        "datePublished": "2026-06-22T13:36:43.998Z",
        "dateReserved": "2026-05-21T11:17:28.560Z",
        "dateUpdated": "2026-06-22T15:40:07.851Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5139 (GCVE-0-2026-5139)

    Vulnerability from cvelistv5 – Published: 2026-06-22 13:34 – Updated: 2026-06-22 15:39
    VLAI
    Title
    GitLab Plugin Allows Non-Admin Users to Modify Default Instance Configuration
    Summary
    Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to enforce administrator authorization on the {{setDefaultInstance}} call within the {{/gitlab connect}} command handler, which allows any authenticated user to overwrite the global default GitLab instance configuration via the {{/gitlab connect <instance-name>}} slash command.. Mattermost Advisory ID: MMSA-2026-00644
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://mattermost.com/security-updates vendor-advisory
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 11.7.0 , ≤ 11.7.0 (semver)
    Affected: 11.6.0 , ≤ 11.6.2 (semver)
    Affected: 11.5.0 , ≤ 11.5.5 (semver)
    Affected: 10.11.0 , ≤ 10.11.17 (semver)
    Unaffected: 11.8.0
    Unaffected: 11.7.1
    Unaffected: 11.6.3
    Unaffected: 11.5.6
    Unaffected: 10.11.18
    Create a notification for this product.
    Credits
    hunterxluxhug
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5139",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T15:39:17.436366Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T15:39:29.821Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "11.7.0",
                  "status": "affected",
                  "version": "11.7.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "11.6.2",
                  "status": "affected",
                  "version": "11.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "11.5.5",
                  "status": "affected",
                  "version": "11.5.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "10.11.17",
                  "status": "affected",
                  "version": "10.11.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "11.8.0"
                },
                {
                  "status": "unaffected",
                  "version": "11.7.1"
                },
                {
                  "status": "unaffected",
                  "version": "11.6.3"
                },
                {
                  "status": "unaffected",
                  "version": "11.5.6"
                },
                {
                  "status": "unaffected",
                  "version": "10.11.18"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "hunterxluxhug"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Mattermost versions 11.7.x \u003c= 11.7.0, 11.6.x \u003c= 11.6.2, 11.5.x \u003c= 11.5.5, 10.11.x \u003c= 10.11.17 fail to enforce administrator authorization on the {{setDefaultInstance}} call within the {{/gitlab connect}} command handler, which allows any authenticated user to overwrite the global default GitLab instance configuration via the {{/gitlab connect \u003cinstance-name\u003e}} slash command.. Mattermost Advisory ID: MMSA-2026-00644"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T13:34:21.247Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "name": "MMSA-2026-00644",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update Mattermost to versions 11.8.0, 11.7.1, 11.6.3, 11.5.6, 10.11.18 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2026-00644",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-68132"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "GitLab Plugin Allows Non-Admin Users to Modify Default Instance Configuration",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2026-5139",
        "datePublished": "2026-06-22T13:34:21.247Z",
        "dateReserved": "2026-03-30T11:29:16.698Z",
        "dateUpdated": "2026-06-22T15:39:29.821Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-8683 (GCVE-0-2026-8683)

    Vulnerability from cvelistv5 – Published: 2026-06-15 14:06 – Updated: 2026-06-15 16:06
    VLAI
    Title
    Overly long URLs crash the Mattermost Desktop App
    Summary
    Mattermost Desktop App versions <=6.1 5.5.13.0 fail to account for attempting to open extremely long URLs in the Mattermost Desktop App which allows a malicious server owner to crash the application via including a script to call window.open on a very large URL. Mattermost Advisory ID: MMSA-2026-00652
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    References
    URL Tags
    https://mattermost.com/security-updates vendor-advisory
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 0 , ≤ 5.5.13 (semver)
    Unaffected: 6.2.0
    Unaffected: 5.13.6.0
    Create a notification for this product.
    Credits
    game0v3r
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8683",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-15T16:05:14.802461Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-15T16:06:03.652Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "5.5.13",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "6.2.0"
                },
                {
                  "status": "unaffected",
                  "version": "5.13.6.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "game0v3r"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Mattermost Desktop App versions \u003c=6.1 5.5.13.0 fail to account for attempting to open extremely long URLs in the Mattermost Desktop App which allows a malicious server owner to crash the application via including a script to call window.open on a very large URL. Mattermost Advisory ID: MMSA-2026-00652"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-15T14:06:21.686Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "name": "MMSA-2026-00652",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update Mattermost Desktop App to versions 6.2.0, 5.13.6.0 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2026-00652",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-68366"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Overly long URLs crash the Mattermost Desktop App",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2026-8683",
        "datePublished": "2026-06-15T14:06:21.686Z",
        "dateReserved": "2026-05-15T14:13:41.661Z",
        "dateUpdated": "2026-06-15T16:06:03.652Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6517 (GCVE-0-2026-6517)

    Vulnerability from cvelistv5 – Published: 2026-06-15 13:55 – Updated: 2026-06-15 16:00
    VLAI
    Title
    Mattermost Desktop App fails to restrict the allow list of domains which NTLM credentials are passed
    Summary
    Mattermost Desktop App versions <=6.1 5.5.13.0 fail to restrict the allow list of domains to which NTLM credentials were forwarded to in the Mattermost Desktop App which allows any user on a server without the image proxy enabled to intercept other users credentials via embedding an image that routes to an external web server. Mattermost Advisory ID: MMSA-2026-00651
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-522 - Insufficiently Protected Credentials
    Assigner
    References
    URL Tags
    https://mattermost.com/security-updates vendor-advisory
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 0 , ≤ 5.5.13 (semver)
    Unaffected: 6.2.0
    Unaffected: 5.13.6.0
    Create a notification for this product.
    Credits
    falke
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6517",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-15T15:59:27.291763Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-15T16:00:00.919Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "5.5.13",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "6.2.0"
                },
                {
                  "status": "unaffected",
                  "version": "5.13.6.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "falke"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Mattermost Desktop App versions \u003c=6.1 5.5.13.0 fail to restrict the allow list of domains to which NTLM credentials were forwarded to in the Mattermost Desktop App which allows any user on a server without the image proxy enabled to intercept other users credentials via embedding an image that routes to an external web server. Mattermost Advisory ID: MMSA-2026-00651"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-522",
                  "description": "CWE-522: Insufficiently Protected Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-15T13:55:25.742Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "name": "MMSA-2026-00651",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update Mattermost Desktop App to versions 6.2.0, 5.13.6.0 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2026-00651",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-68362"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Mattermost Desktop App fails to restrict the allow list of domains which NTLM credentials are passed",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2026-6517",
        "datePublished": "2026-06-15T13:55:25.742Z",
        "dateReserved": "2026-04-17T14:25:10.246Z",
        "dateUpdated": "2026-06-15T16:00:00.919Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6961 (GCVE-0-2026-6961)

    Vulnerability from cvelistv5 – Published: 2026-06-12 15:56 – Updated: 2026-06-16 13:17
    VLAI
    Title
    CVE-2026-6961: Path traversal via unsanitized FileInfo.Name in Mattermost federation sync
    Summary
    Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 Mattermost fails to sanitize FileInfo.Name received from federated peers during shared channel file sync, which allows an attacker who controls a federated server to write files to arbitrary locations within the target server's filestore via path traversal sequences in the filename field.. Mattermost Advisory ID: MMSA-2026-00661
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    References
    URL Tags
    https://mattermost.com/security-updates vendor-advisory
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 11.6.0 , ≤ 11.6.1 (semver)
    Affected: 11.5.0 , ≤ 11.5.4 (semver)
    Affected: 10.11.0 , ≤ 10.11.15 (semver)
    Affected: 10.11.0 , ≤ 10.11.16 (semver)
    Unaffected: 11.7.0
    Unaffected: 11.6.2
    Unaffected: 11.5.5
    Unaffected: 10.11.16
    Unaffected: 10.11.17
    Create a notification for this product.
    Credits
    Hassan Mohammed
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6961",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-13T03:56:08.575775Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-16T13:17:18.192Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "11.6.1",
                  "status": "affected",
                  "version": "11.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "11.5.4",
                  "status": "affected",
                  "version": "11.5.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "10.11.15",
                  "status": "affected",
                  "version": "10.11.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "10.11.16",
                  "status": "affected",
                  "version": "10.11.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "11.7.0"
                },
                {
                  "status": "unaffected",
                  "version": "11.6.2"
                },
                {
                  "status": "unaffected",
                  "version": "11.5.5"
                },
                {
                  "status": "unaffected",
                  "version": "10.11.16"
                },
                {
                  "status": "unaffected",
                  "version": "10.11.17"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Hassan Mohammed"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Mattermost versions 11.6.x \u003c= 11.6.1, 11.5.x \u003c= 11.5.4, 10.11.x \u003c= 10.11.15, 10.11.x \u003c= 10.11.16 Mattermost fails to sanitize FileInfo.Name received from federated peers during shared channel file sync, which allows an attacker who controls a federated server to write files to arbitrary locations within the target server\u0027s filestore via path traversal sequences in the filename field.. Mattermost Advisory ID: MMSA-2026-00661"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-12T15:56:17.364Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "name": "MMSA-2026-00661",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update Mattermost to versions 11.7.0, 11.6.2, 11.5.5, 10.11.16, 10.11.17 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2026-00661",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-68488"
            ],
            "discovery": "{\"self\"=\u003e\"https://mattermost.atlassian.net/rest/api/2/customFieldOption/10557\", \"value\"=\u003e\"Internal\", \"id\"=\u003e\"10557\"}"
          },
          "title": "CVE-2026-6961: Path traversal via unsanitized FileInfo.Name in Mattermost federation sync",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2026-6961",
        "datePublished": "2026-06-12T15:56:17.364Z",
        "dateReserved": "2026-04-24T15:22:26.743Z",
        "dateUpdated": "2026-06-16T13:17:18.192Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7387 (GCVE-0-2026-7387)

    Vulnerability from cvelistv5 – Published: 2026-06-12 15:54 – Updated: 2026-06-13 03:56
    VLAI
    Title
    Mattermost group syncable endpoints allow privilege escalation via scheme_admin
    Summary
    Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 Mattermost fails to require role-management authorization when setting the scheme_admin flag on group syncable link and patch endpoints, which allows a user with group-link permissions to escalate themselves and group members to team or channel admin via crafted API requests.. Mattermost Advisory ID: MMSA-2026-00665
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    References
    URL Tags
    https://mattermost.com/security-updates vendor-advisory
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 11.6.0 , ≤ 11.6.1 (semver)
    Affected: 11.5.0 , ≤ 11.5.4 (semver)
    Affected: 10.11.0 , ≤ 10.11.15 (semver)
    Affected: 10.11.0 , ≤ 10.11.16 (semver)
    Unaffected: 11.7.0
    Unaffected: 11.6.2
    Unaffected: 11.5.5
    Unaffected: 10.11.16
    Unaffected: 10.11.17
    Create a notification for this product.
    Credits
    winfunc
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7387",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-12T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-13T03:56:08.889Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "11.6.1",
                  "status": "affected",
                  "version": "11.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "11.5.4",
                  "status": "affected",
                  "version": "11.5.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "10.11.15",
                  "status": "affected",
                  "version": "10.11.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "10.11.16",
                  "status": "affected",
                  "version": "10.11.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "11.7.0"
                },
                {
                  "status": "unaffected",
                  "version": "11.6.2"
                },
                {
                  "status": "unaffected",
                  "version": "11.5.5"
                },
                {
                  "status": "unaffected",
                  "version": "10.11.16"
                },
                {
                  "status": "unaffected",
                  "version": "10.11.17"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "winfunc"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Mattermost versions 11.6.x \u003c= 11.6.1, 11.5.x \u003c= 11.5.4, 10.11.x \u003c= 10.11.15, 10.11.x \u003c= 10.11.16 Mattermost fails to require role-management authorization when setting the scheme_admin flag on group syncable link and patch endpoints, which allows a user with group-link permissions to escalate themselves and group members to team or channel admin via crafted API requests.. Mattermost Advisory ID: MMSA-2026-00665"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-12T15:54:10.103Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "name": "MMSA-2026-00665",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update Mattermost to versions 11.7.0, 11.6.2, 11.5.5, 10.11.16, 10.11.17 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2026-00665",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-68546"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Mattermost group syncable endpoints allow privilege escalation via scheme_admin",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2026-7387",
        "datePublished": "2026-06-12T15:54:10.103Z",
        "dateReserved": "2026-04-29T09:18:29.691Z",
        "dateUpdated": "2026-06-13T03:56:08.889Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6046 (GCVE-0-2026-6046)

    Vulnerability from cvelistv5 – Published: 2026-06-12 15:52 – Updated: 2026-06-12 17:18
    VLAI
    Title
    Plugin bot username conflict allows user account to be used as bot identity in Mattermost Server
    Summary
    Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to validate that a username returned during bot registration belongs to a bot account, which allows an unprivileged attacker to intercept private messages sent by plugins via direct message channels by pre-registering a user account with a predictable plugin bot username.. Mattermost Advisory ID: MMSA-2026-00649
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    References
    URL Tags
    https://mattermost.com/security-updates vendor-advisory
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 11.6.0 , ≤ 11.6.1 (semver)
    Affected: 11.5.0 , ≤ 11.5.4 (semver)
    Affected: 10.11.0 , ≤ 10.11.15 (semver)
    Affected: 10.11.0 , ≤ 10.11.16 (semver)
    Unaffected: 11.7.0
    Unaffected: 11.6.2
    Unaffected: 11.5.5
    Unaffected: 10.11.16
    Unaffected: 10.11.17
    Create a notification for this product.
    Credits
    insomnia1102
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6046",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-12T17:18:25.567701Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-12T17:18:30.553Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "11.6.1",
                  "status": "affected",
                  "version": "11.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "11.5.4",
                  "status": "affected",
                  "version": "11.5.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "10.11.15",
                  "status": "affected",
                  "version": "10.11.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "10.11.16",
                  "status": "affected",
                  "version": "10.11.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "11.7.0"
                },
                {
                  "status": "unaffected",
                  "version": "11.6.2"
                },
                {
                  "status": "unaffected",
                  "version": "11.5.5"
                },
                {
                  "status": "unaffected",
                  "version": "10.11.16"
                },
                {
                  "status": "unaffected",
                  "version": "10.11.17"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "insomnia1102"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Mattermost versions 11.6.x \u003c= 11.6.1, 11.5.x \u003c= 11.5.4, 10.11.x \u003c= 10.11.15, 10.11.x \u003c= 10.11.16 fail to validate that a username returned during bot registration belongs to a bot account, which allows an unprivileged attacker to intercept private messages sent by plugins via direct message channels by pre-registering a user account with a predictable plugin bot username.. Mattermost Advisory ID: MMSA-2026-00649"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-12T15:52:33.505Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "name": "MMSA-2026-00649",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update Mattermost to versions 11.7.0, 11.6.2, 11.5.5, 10.11.16, 10.11.17 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2026-00649",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-68256"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Plugin bot username conflict allows user account to be used as bot identity in Mattermost Server",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2026-6046",
        "datePublished": "2026-06-12T15:52:33.505Z",
        "dateReserved": "2026-04-09T19:20:26.868Z",
        "dateUpdated": "2026-06-12T17:18:30.553Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6689 (GCVE-0-2026-6689)

    Vulnerability from cvelistv5 – Published: 2026-06-12 15:51 – Updated: 2026-06-12 17:18
    VLAI
    Title
    *Missing* {{invite_user}} *permission check on team creation allows unprivileged users to set open-invite and allowed-domains team settings*
    Summary
    Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 Fail to enforce PermissionInviteUser when setting AllowOpenInvite or AllowedDomains during team creation (the check was only applied on update/patch), which allows an authenticated user holding PermissionCreateTeam but not PermissionInviteUser on the resulting team to configure invite-controlled team settings (make the team publicly joinable via open invite and/or constrain membership via allowed domains) that they are not permitted to set on an existing team via POST /api/v4/teams with allow_open_invite: true and/or a non-empty allowed_domains in the request body.. Mattermost Advisory ID: MMSA-2026-00655
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://mattermost.com/security-updates vendor-advisory
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 11.6.0 , ≤ 11.6.1 (semver)
    Affected: 11.5.0 , ≤ 11.5.4 (semver)
    Affected: 10.11.0 , ≤ 10.11.15 (semver)
    Affected: 10.11.0 , ≤ 10.11.16 (semver)
    Unaffected: 11.7.0
    Unaffected: 11.6.2
    Unaffected: 11.5.5
    Unaffected: 10.11.16
    Unaffected: 10.11.17
    Create a notification for this product.
    Credits
    0x7oda7123
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6689",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-12T17:18:46.355666Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-12T17:18:52.426Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "11.6.1",
                  "status": "affected",
                  "version": "11.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "11.5.4",
                  "status": "affected",
                  "version": "11.5.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "10.11.15",
                  "status": "affected",
                  "version": "10.11.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "10.11.16",
                  "status": "affected",
                  "version": "10.11.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "11.7.0"
                },
                {
                  "status": "unaffected",
                  "version": "11.6.2"
                },
                {
                  "status": "unaffected",
                  "version": "11.5.5"
                },
                {
                  "status": "unaffected",
                  "version": "10.11.16"
                },
                {
                  "status": "unaffected",
                  "version": "10.11.17"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "0x7oda7123"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Mattermost versions 11.6.x \u003c= 11.6.1, 11.5.x \u003c= 11.5.4, 10.11.x \u003c= 10.11.15, 10.11.x \u003c= 10.11.16 Fail to enforce PermissionInviteUser when setting AllowOpenInvite or AllowedDomains during team creation (the check was only applied on update/patch), which allows an authenticated user holding PermissionCreateTeam but not PermissionInviteUser on the resulting team to configure invite-controlled team settings (make the team publicly joinable via open invite and/or constrain membership via allowed domains) that they are not permitted to set on an existing team via POST /api/v4/teams with allow_open_invite: true and/or a non-empty allowed_domains in the request body.. Mattermost Advisory ID: MMSA-2026-00655"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-12T15:51:30.871Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "name": "MMSA-2026-00655",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update Mattermost to versions 11.7.0, 11.6.2, 11.5.5, 10.11.16, 10.11.17 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2026-00655",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-68381"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "*Missing* {{invite_user}} *permission check on team creation allows unprivileged users to set open-invite and allowed-domains team settings*",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2026-6689",
        "datePublished": "2026-06-12T15:51:30.871Z",
        "dateReserved": "2026-04-20T15:19:13.503Z",
        "dateUpdated": "2026-06-12T17:18:52.426Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7184 (GCVE-0-2026-7184)

    Vulnerability from cvelistv5 – Published: 2026-06-12 15:49 – Updated: 2026-06-12 17:19
    VLAI
    Title
    Mattermost Remote Cluster PATCH API Leaks Authentication Tokens
    Summary
    Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15 fail to sanitize the Remote Cluster API response on PATCH operations, which allows authenticated users with the {{manage_secure_connections}} permission to obtain remote cluster authentication tokens via a PATCH request to the remote cluster endpoint.. Mattermost Advisory ID: MMSA-2026-00662
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-201 - Insertion of Sensitive Information Into Sent Data
    Assigner
    References
    URL Tags
    https://mattermost.com/security-updates vendor-advisory
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 11.6.0 , ≤ 11.6.1 (semver)
    Affected: 11.5.0 , ≤ 11.5.4 (semver)
    Affected: 10.11.0 , ≤ 10.11.15 (semver)
    Unaffected: 11.7.0
    Unaffected: 11.6.2
    Unaffected: 11.5.5
    Unaffected: 10.11.17
    Create a notification for this product.
    Credits
    winfunc
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7184",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-12T17:19:06.393567Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-12T17:19:11.611Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "11.6.1",
                  "status": "affected",
                  "version": "11.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "11.5.4",
                  "status": "affected",
                  "version": "11.5.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "10.11.15",
                  "status": "affected",
                  "version": "10.11.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "11.7.0"
                },
                {
                  "status": "unaffected",
                  "version": "11.6.2"
                },
                {
                  "status": "unaffected",
                  "version": "11.5.5"
                },
                {
                  "status": "unaffected",
                  "version": "10.11.17"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "winfunc"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Mattermost versions 11.6.x \u003c= 11.6.1, 11.5.x \u003c= 11.5.4, 10.11.x \u003c= 10.11.15 fail to sanitize the Remote Cluster API response on PATCH operations, which allows authenticated users with the {{manage_secure_connections}} permission to obtain remote cluster authentication tokens via a PATCH request to the remote cluster endpoint.. Mattermost Advisory ID: MMSA-2026-00662"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-201",
                  "description": "CWE-201: Insertion of Sensitive Information Into Sent Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-12T15:49:46.626Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "name": "MMSA-2026-00662",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update Mattermost to versions 11.7.0, 11.6.2, 11.5.5, 10.11.17 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2026-00662",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-68525"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Mattermost Remote Cluster PATCH API Leaks Authentication Tokens",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2026-7184",
        "datePublished": "2026-06-12T15:49:46.626Z",
        "dateReserved": "2026-04-27T10:44:00.842Z",
        "dateUpdated": "2026-06-12T17:19:11.611Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6739 (GCVE-0-2026-6739)

    Vulnerability from cvelistv5 – Published: 2026-06-12 15:49 – Updated: 2026-06-13 03:56
    VLAI
    Title
    Mattermost: Delegated admins could patch protected default system roles
    Summary
    Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to require system-level permission when patching protected default system roles, which allows authenticated users with delegated user-management permissions to escalate privileges by altering built-in role permissions via the role patch API.. Mattermost Advisory ID: MMSA-2026-00656
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    References
    URL Tags
    https://mattermost.com/security-updates vendor-advisory
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 11.6.0 , ≤ 11.6.1 (semver)
    Affected: 11.5.0 , ≤ 11.5.4 (semver)
    Affected: 10.11.0 , ≤ 10.11.15 (semver)
    Affected: 10.11.0 , ≤ 10.11.16 (semver)
    Unaffected: 11.7.0
    Unaffected: 11.6.2
    Unaffected: 11.5.5
    Unaffected: 10.11.16
    Unaffected: 10.11.17
    Create a notification for this product.
    Credits
    NeganSpl01t
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6739",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-12T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-13T03:56:06.666Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "11.6.1",
                  "status": "affected",
                  "version": "11.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "11.5.4",
                  "status": "affected",
                  "version": "11.5.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "10.11.15",
                  "status": "affected",
                  "version": "10.11.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "10.11.16",
                  "status": "affected",
                  "version": "10.11.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "11.7.0"
                },
                {
                  "status": "unaffected",
                  "version": "11.6.2"
                },
                {
                  "status": "unaffected",
                  "version": "11.5.5"
                },
                {
                  "status": "unaffected",
                  "version": "10.11.16"
                },
                {
                  "status": "unaffected",
                  "version": "10.11.17"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "NeganSpl01t"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Mattermost versions 11.6.x \u003c= 11.6.1, 11.5.x \u003c= 11.5.4, 10.11.x \u003c= 10.11.15, 10.11.x \u003c= 10.11.16 fail to require system-level permission when patching protected default system roles, which allows authenticated users with delegated user-management permissions to escalate privileges by altering built-in role permissions via the role patch API.. Mattermost Advisory ID: MMSA-2026-00656"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 6.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-12T15:49:14.444Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "name": "MMSA-2026-00656",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update Mattermost to versions 11.7.0, 11.6.2, 11.5.5, 10.11.16, 10.11.17 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2026-00656",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-68392"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Mattermost: Delegated admins could patch protected default system roles",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2026-6739",
        "datePublished": "2026-06-12T15:49:14.444Z",
        "dateReserved": "2026-04-21T08:47:06.795Z",
        "dateUpdated": "2026-06-13T03:56:06.666Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-3433 (GCVE-0-2026-3433)

    Vulnerability from cvelistv5 – Published: 2026-06-12 15:46 – Updated: 2026-06-12 17:19
    VLAI
    Title
    Mattermost fails to scope role_updated websocket events to authorized team and channel members
    Summary
    Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to restrict role_updated websocket event broadcasts to members of the affected team or channel which allows an authenticated attacker with guest-level access to observe permission scheme change notifications for private teams they are not a member of via the websocket connection.. Mattermost Advisory ID: MMSA-2026-00616
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    References
    URL Tags
    https://mattermost.com/security-updates vendor-advisory
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 11.6.0 , ≤ 11.6.1 (semver)
    Affected: 11.5.0 , ≤ 11.5.4 (semver)
    Affected: 10.11.0 , ≤ 10.11.15 (semver)
    Affected: 10.11.0 , ≤ 10.11.16 (semver)
    Unaffected: 11.7.0
    Unaffected: 11.6.2
    Unaffected: 11.5.5
    Unaffected: 10.11.16
    Unaffected: 10.11.17
    Create a notification for this product.
    Credits
    0x7oda7123
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-3433",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-12T17:19:43.952848Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-12T17:19:49.970Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "11.6.1",
                  "status": "affected",
                  "version": "11.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "11.5.4",
                  "status": "affected",
                  "version": "11.5.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "10.11.15",
                  "status": "affected",
                  "version": "10.11.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "10.11.16",
                  "status": "affected",
                  "version": "10.11.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "11.7.0"
                },
                {
                  "status": "unaffected",
                  "version": "11.6.2"
                },
                {
                  "status": "unaffected",
                  "version": "11.5.5"
                },
                {
                  "status": "unaffected",
                  "version": "10.11.16"
                },
                {
                  "status": "unaffected",
                  "version": "10.11.17"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "0x7oda7123"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Mattermost versions 11.6.x \u003c= 11.6.1, 11.5.x \u003c= 11.5.4, 10.11.x \u003c= 10.11.15, 10.11.x \u003c= 10.11.16 fail to restrict role_updated websocket event broadcasts to members of the affected team or channel which allows an authenticated attacker with guest-level access to observe permission scheme change notifications for private teams they are not a member of via the websocket connection.. Mattermost Advisory ID: MMSA-2026-00616"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-12T15:46:54.868Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "name": "MMSA-2026-00616",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update Mattermost to versions 11.7.0, 11.6.2, 11.5.5, 10.11.16, 10.11.17 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2026-00616",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-67740"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Mattermost fails to scope role_updated websocket events to authorized team and channel members",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2026-3433",
        "datePublished": "2026-06-12T15:46:54.868Z",
        "dateReserved": "2026-03-02T12:48:20.745Z",
        "dateUpdated": "2026-06-12T17:19:49.970Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }