Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
1255 vulnerabilities by Mattermost
CVE-2026-9824 (GCVE-0-2026-9824)
Vulnerability from nvd – Published: 2026-07-13 10:47 – Updated: 2026-07-13 13:10
VLAI
EPSS
VEX
Title
Remote cluster metadata enumeration via /share-channel autocomplete
Summary
Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to check the manage_shared_channels permission in the /share-channel autocomplete handler, which allows an authenticated user without that permission to enumerate configured remote cluster connection metadata via slash command autocomplete.. Mattermost Advisory ID: MMSA-2026-00676
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
11.7.0 , ≤ 11.7.2
(semver)
Affected: 11.6.0 , ≤ 11.6.4 (semver) Affected: 10.11.0 , ≤ 10.11.19 (semver) Unaffected: 11.8.0 Unaffected: 11.7.3 Unaffected: 11.6.5 Unaffected: 10.11.20 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9824",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-13T13:10:30.276593Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T13:10:35.463Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.7.2",
"status": "affected",
"version": "11.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.6.4",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.19",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.8.0"
},
{
"status": "unaffected",
"version": "11.7.3"
},
{
"status": "unaffected",
"version": "11.6.5"
},
{
"status": "unaffected",
"version": "10.11.20"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "adamsec-dev"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 11.7.x \u003c= 11.7.2, 11.6.x \u003c= 11.6.4, 10.11.x \u003c= 10.11.19 fail to check the manage_shared_channels permission in the /share-channel autocomplete handler, which allows an authenticated user without that permission to enumerate configured remote cluster connection metadata via slash command autocomplete.. Mattermost Advisory ID: MMSA-2026-00676"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T10:47:33.070Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00676",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.8.0, 11.7.3, 11.6.5, 10.11.20 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00676",
"defect": [
"https://mattermost.atlassian.net/browse/MM-68827"
],
"discovery": "EXTERNAL"
},
"title": "Remote cluster metadata enumeration via /share-channel autocomplete",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-9824",
"datePublished": "2026-07-13T10:47:33.070Z",
"dateReserved": "2026-05-28T11:32:33.594Z",
"dateUpdated": "2026-07-13T13:10:35.463Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9820 (GCVE-0-2026-9820)
Vulnerability from nvd – Published: 2026-07-13 10:51 – Updated: 2026-07-13 13:09
VLAI
EPSS
VEX
Title
Mattermost schemes teams endpoint exposes private team invite IDs
Summary
Mattermost versions 11.7.x <= 11.7.2, 10.11.x <= 10.11.19 fail to sanitize team objects returned by the scheme teams endpoint, which allows a user with the User Manager role to obtain invite links for private teams and use them to join or share access to those teams via the scheme teams API endpoint.. Mattermost Advisory ID: MMSA-2026-00671
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
11.7.0 , ≤ 11.7.2
(semver)
Affected: 10.11.0 , ≤ 10.11.19 (semver) Unaffected: 11.8.0 Unaffected: 11.7.3 Unaffected: 10.11.20 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9820",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-13T13:09:24.482863Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T13:09:31.383Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.7.2",
"status": "affected",
"version": "11.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.19",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.8.0"
},
{
"status": "unaffected",
"version": "11.7.3"
},
{
"status": "unaffected",
"version": "10.11.20"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "0x7oda7123"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 11.7.x \u003c= 11.7.2, 10.11.x \u003c= 10.11.19 fail to sanitize team objects returned by the scheme teams endpoint, which allows a user with the User Manager role to obtain invite links for private teams and use them to join or share access to those teams via the scheme teams API endpoint.. Mattermost Advisory ID: MMSA-2026-00671"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T10:51:34.023Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00671",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.8.0, 11.7.3, 10.11.20 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00671",
"defect": [
"https://mattermost.atlassian.net/browse/MM-68824"
],
"discovery": "EXTERNAL"
},
"title": "Mattermost schemes teams endpoint exposes private team invite IDs",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-9820",
"datePublished": "2026-07-13T10:51:34.023Z",
"dateReserved": "2026-05-28T11:26:12.173Z",
"dateUpdated": "2026-07-13T13:09:31.383Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6541 (GCVE-0-2026-6541)
Vulnerability from nvd – Published: 2026-07-13 10:53 – Updated: 2026-07-13 13:09
VLAI
EPSS
VEX
Title
Unscoped updates to other playbooks' metric configuration
Summary
Mattermost versions 11.7.x <= 11.7.1, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to restrict metric configuration changes to the playbook being saved, which allows an authenticated user with team access to alter another user’s playbook metric settings via a crafted import or update request with a foreign metric ID. Mattermost Advisory ID: MMSA-2026-00653
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
11.7.0 , ≤ 11.7.1
(semver)
Affected: 11.6.0 , ≤ 11.6.4 (semver) Affected: 10.11.0 , ≤ 10.11.19 (semver) Unaffected: 11.8.0 Unaffected: 11.7.2 Unaffected: 11.6.5 Unaffected: 10.11.20 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6541",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-13T13:09:03.398556Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T13:09:10.482Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.7.1",
"status": "affected",
"version": "11.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.6.4",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.19",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.8.0"
},
{
"status": "unaffected",
"version": "11.7.2"
},
{
"status": "unaffected",
"version": "11.6.5"
},
{
"status": "unaffected",
"version": "10.11.20"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "hfreak_s"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 11.7.x \u003c= 11.7.1, 11.6.x \u003c= 11.6.4, 10.11.x \u003c= 10.11.19 fail to restrict metric configuration changes to the playbook being saved, which allows an authenticated user with team access to alter another user\u2019s playbook metric settings via a crafted import or update request with a foreign metric ID. Mattermost Advisory ID: MMSA-2026-00653"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T10:53:15.958Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00653",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.8.0, 11.7.2, 11.6.5, 10.11.20 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00653",
"defect": [
"https://mattermost.atlassian.net/browse/MM-68371"
],
"discovery": "EXTERNAL"
},
"title": "Unscoped updates to other playbooks\u0027 metric configuration",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-6541",
"datePublished": "2026-07-13T10:53:15.958Z",
"dateReserved": "2026-04-17T17:54:44.831Z",
"dateUpdated": "2026-07-13T13:09:10.482Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9708 (GCVE-0-2026-9708)
Vulnerability from nvd – Published: 2026-07-13 08:00 – Updated: 2026-07-13 14:45
VLAI
EPSS
VEX
Title
Incoming webhook user attribution via unvalidated webhook owner
Summary
Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to validate that an assigned incoming webhook user has access to the target team or channel, which allows a requester with webhook management permissions to create posts or direct messages attributed to another user via crafted incoming webhook configuration and payloads.. Mattermost Advisory ID: MMSA-2026-00683
Severity
4.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
11.7.0 , ≤ 11.7.2
(semver)
Affected: 11.6.0 , ≤ 11.6.4 (semver) Affected: 10.11.0 , ≤ 10.11.19 (semver) Unaffected: 11.8.0 Unaffected: 11.7.3 Unaffected: 11.6.5 Unaffected: 10.11.20 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9708",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-13T14:44:57.510921Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T14:45:16.207Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.7.2",
"status": "affected",
"version": "11.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.6.4",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.19",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.8.0"
},
{
"status": "unaffected",
"version": "11.7.3"
},
{
"status": "unaffected",
"version": "11.6.5"
},
{
"status": "unaffected",
"version": "10.11.20"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "arang"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 11.7.x \u003c= 11.7.2, 11.6.x \u003c= 11.6.4, 10.11.x \u003c= 10.11.19 fail to validate that an assigned incoming webhook user has access to the target team or channel, which allows a requester with webhook management permissions to create posts or direct messages attributed to another user via crafted incoming webhook configuration and payloads.. Mattermost Advisory ID: MMSA-2026-00683"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T08:00:10.707Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00683",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.8.0, 11.7.3, 11.6.5, 10.11.20 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00683",
"defect": [
"https://mattermost.atlassian.net/browse/MM-69009"
],
"discovery": "EXTERNAL"
},
"title": "Incoming webhook user attribution via unvalidated webhook owner",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-9708",
"datePublished": "2026-07-13T08:00:10.707Z",
"dateReserved": "2026-05-27T13:46:27.399Z",
"dateUpdated": "2026-07-13T14:45:16.207Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9597 (GCVE-0-2026-9597)
Vulnerability from nvd – Published: 2026-07-13 08:17 – Updated: 2026-07-13 13:55
VLAI
EPSS
VEX
Title
Deactivated guest accounts can authenticate via magic-link token in Mattermost REST API login endpoint
Summary
Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4 fail to verify whether a guest account is deactivated before creating a session in the magic-link token login path, which allows a deactivated guest user to obtain a fully functional session via a magic-link token issued prior to deactivation.. Mattermost Advisory ID: MMSA-2026-00681
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-305 - – Authentication Bypass by Primary Weakness
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
11.7.0 , ≤ 11.7.2
(semver)
Affected: 11.6.0 , ≤ 11.6.4 (semver) Unaffected: 11.8.0 Unaffected: 11.7.3 Unaffected: 11.6.5 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9597",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-13T13:55:09.692643Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T13:55:15.448Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.7.2",
"status": "affected",
"version": "11.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.6.4",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.8.0"
},
{
"status": "unaffected",
"version": "11.7.3"
},
{
"status": "unaffected",
"version": "11.6.5"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "alimursaliyev"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 11.7.x \u003c= 11.7.2, 11.6.x \u003c= 11.6.4 fail to verify whether a guest account is deactivated before creating a session in the magic-link token login path, which allows a deactivated guest user to obtain a fully functional session via a magic-link token issued prior to deactivation.. Mattermost Advisory ID: MMSA-2026-00681"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-305",
"description": "CWE-305 \u2013 Authentication Bypass by Primary Weakness",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T08:17:36.717Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00681",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.8.0, 11.7.3, 11.6.5 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00681",
"defect": [
"https://mattermost.atlassian.net/browse/MM-68994"
],
"discovery": "EXTERNAL"
},
"title": "Deactivated guest accounts can authenticate via magic-link token in Mattermost REST API login endpoint",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-9597",
"datePublished": "2026-07-13T08:17:36.717Z",
"dateReserved": "2026-05-26T15:15:14.343Z",
"dateUpdated": "2026-07-13T13:55:15.448Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9571 (GCVE-0-2026-9571)
Vulnerability from nvd – Published: 2026-07-13 07:50 – Updated: 2026-07-13 07:50
VLAI
EPSS
VEX
Title
Deactivated user accounts can continue to obtain valid OAuth access tokens via refresh token grant in Mattermost
Summary
Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to invalidate OAuth refresh tokens upon user account deactivation, which allows a deactivated user or an attacker in possession of a valid refresh token to obtain new functional access tokens via the OAuth refresh token grant endpoint.. Mattermost Advisory ID: MMSA-2026-00680
Severity
5.9 (Medium)
CWE
- CWE-305 - – Authentication Bypass by Primary Weakness
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
11.7.0 , ≤ 11.7.2
(semver)
Affected: 11.6.0 , ≤ 11.6.4 (semver) Affected: 10.11.0 , ≤ 10.11.19 (semver) Unaffected: 11.8.0 Unaffected: 11.7.3 Unaffected: 11.6.5 Unaffected: 10.11.20 |
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.7.2",
"status": "affected",
"version": "11.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.6.4",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.19",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.8.0"
},
{
"status": "unaffected",
"version": "11.7.3"
},
{
"status": "unaffected",
"version": "11.6.5"
},
{
"status": "unaffected",
"version": "10.11.20"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "kirs112"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 11.7.x \u003c= 11.7.2, 11.6.x \u003c= 11.6.4, 10.11.x \u003c= 10.11.19 fail to invalidate OAuth refresh tokens upon user account deactivation, which allows a deactivated user or an attacker in possession of a valid refresh token to obtain new functional access tokens via the OAuth refresh token grant endpoint.. Mattermost Advisory ID: MMSA-2026-00680"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-305",
"description": "CWE-305 \u2013 Authentication Bypass by Primary Weakness",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T07:50:55.793Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00680",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.8.0, 11.7.3, 11.6.5, 10.11.20 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00680",
"defect": [
"https://mattermost.atlassian.net/browse/MM-68982"
],
"discovery": "EXTERNAL"
},
"title": "Deactivated user accounts can continue to obtain valid OAuth access tokens via refresh token grant in Mattermost",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-9571",
"datePublished": "2026-07-13T07:50:55.793Z",
"dateReserved": "2026-05-26T11:52:27.228Z",
"dateUpdated": "2026-07-13T07:50:55.793Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6850 (GCVE-0-2026-6850)
Vulnerability from nvd – Published: 2026-07-13 08:13 – Updated: 2026-07-13 13:56
VLAI
EPSS
VEX
Title
Crafted message attachment causes client-side denial of service via markdown parser regex backtracking in Mattermost
Summary
Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to validate the length and content of message attachment field values, which allows an authenticated attacker to cause a denial of service for all users in a channel via a post containing a specially crafted payload that triggers catastrophic backtracking in the client-side markdown parser.. Mattermost Advisory ID: MMSA-2026-00658
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1333 - Inefficient Regular Expression Complexity
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
11.7.0 , ≤ 11.7.2
(semver)
Affected: 11.6.0 , ≤ 11.6.4 (semver) Affected: 10.11.0 , ≤ 10.11.19 (semver) Unaffected: 11.8.0 Unaffected: 11.7.3 Unaffected: 11.6.5 Unaffected: 10.11.20 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6850",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-13T13:56:09.905130Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T13:56:16.767Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.7.2",
"status": "affected",
"version": "11.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.6.4",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.19",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.8.0"
},
{
"status": "unaffected",
"version": "11.7.3"
},
{
"status": "unaffected",
"version": "11.6.5"
},
{
"status": "unaffected",
"version": "10.11.20"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "idr"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 11.7.x \u003c= 11.7.2, 11.6.x \u003c= 11.6.4, 10.11.x \u003c= 10.11.19 fail to validate the length and content of message attachment field values, which allows an authenticated attacker to cause a denial of service for all users in a channel via a post containing a specially crafted payload that triggers catastrophic backtracking in the client-side markdown parser.. Mattermost Advisory ID: MMSA-2026-00658"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333: Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T08:13:02.883Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00658",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.8.0, 11.7.3, 11.6.5, 10.11.20 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00658",
"defect": [
"https://mattermost.atlassian.net/browse/MM-68424"
],
"discovery": "EXTERNAL"
},
"title": "Crafted message attachment causes client-side denial of service via markdown parser regex backtracking in Mattermost",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-6850",
"datePublished": "2026-07-13T08:13:02.883Z",
"dateReserved": "2026-04-22T10:05:15.625Z",
"dateUpdated": "2026-07-13T13:56:16.767Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10106 (GCVE-0-2026-10106)
Vulnerability from nvd – Published: 2026-07-13 08:09 – Updated: 2026-07-13 13:56
VLAI
EPSS
VEX
Title
Unauthorized users can trigger interactive post actions in private channels via action cookie channel mismatch in Mattermost
Summary
Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to verify that the channel referenced in an action cookie matches the channel of the target post, which allows an authenticated user without access to a private channel to trigger interactive post actions on posts in that channel via a cookie obtained from any accessible channel.. Mattermost Advisory ID: MMSA-2026-00690
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
11.7.0 , ≤ 11.7.2
(semver)
Affected: 11.6.0 , ≤ 11.6.4 (semver) Affected: 10.11.0 , ≤ 10.11.19 (semver) Unaffected: 11.8.0 Unaffected: 11.7.3 Unaffected: 11.6.5 Unaffected: 10.11.20 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10106",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-13T13:56:34.893294Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T13:56:41.047Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.7.2",
"status": "affected",
"version": "11.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.6.4",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.19",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.8.0"
},
{
"status": "unaffected",
"version": "11.7.3"
},
{
"status": "unaffected",
"version": "11.6.5"
},
{
"status": "unaffected",
"version": "10.11.20"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "minghseinyuc86595"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 11.7.x \u003c= 11.7.2, 11.6.x \u003c= 11.6.4, 10.11.x \u003c= 10.11.19 fail to verify that the channel referenced in an action cookie matches the channel of the target post, which allows an authenticated user without access to a private channel to trigger interactive post actions on posts in that channel via a cookie obtained from any accessible channel.. Mattermost Advisory ID: MMSA-2026-00690"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T08:09:58.717Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00690",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.8.0, 11.7.3, 11.6.5, 10.11.20 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00690",
"defect": [
"https://mattermost.atlassian.net/browse/MM-69059"
],
"discovery": "EXTERNAL"
},
"title": "Unauthorized users can trigger interactive post actions in private channels via action cookie channel mismatch in Mattermost",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-10106",
"datePublished": "2026-07-13T08:09:58.717Z",
"dateReserved": "2026-05-29T16:06:43.719Z",
"dateUpdated": "2026-07-13T13:56:41.047Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10103 (GCVE-0-2026-10103)
Vulnerability from nvd – Published: 2026-07-13 07:57 – Updated: 2026-07-13 07:57
VLAI
EPSS
VEX
Title
Authenticated remote cluster can modify or delete posts it does not own in Mattermost Connected Workspaces shared channels
Summary
Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to verify post ownership in the shared channel inbound sync handler, which allows an authenticated remote cluster to modify or delete posts authored by local users or other remotes via crafted sync messages referencing arbitrary post IDs in channels shared with that remote.. Mattermost Advisory ID: MMSA-2026-00689
Severity
4.3 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
11.7.0 , ≤ 11.7.2
(semver)
Affected: 11.6.0 , ≤ 11.6.4 (semver) Affected: 10.11.0 , ≤ 10.11.19 (semver) Unaffected: 11.8.0 Unaffected: 11.7.3 Unaffected: 11.6.5 Unaffected: 10.11.20 |
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.7.2",
"status": "affected",
"version": "11.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.6.4",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.19",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.8.0"
},
{
"status": "unaffected",
"version": "11.7.3"
},
{
"status": "unaffected",
"version": "11.6.5"
},
{
"status": "unaffected",
"version": "10.11.20"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "ratrarity"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 11.7.x \u003c= 11.7.2, 11.6.x \u003c= 11.6.4, 10.11.x \u003c= 10.11.19 fail to verify post ownership in the shared channel inbound sync handler, which allows an authenticated remote cluster to modify or delete posts authored by local users or other remotes via crafted sync messages referencing arbitrary post IDs in channels shared with that remote.. Mattermost Advisory ID: MMSA-2026-00689"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T07:57:11.062Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00689",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.8.0, 11.7.3, 11.6.5, 10.11.20 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00689",
"defect": [
"https://mattermost.atlassian.net/browse/MM-69056"
],
"discovery": "EXTERNAL"
},
"title": "Authenticated remote cluster can modify or delete posts it does not own in Mattermost Connected Workspaces shared channels",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-10103",
"datePublished": "2026-07-13T07:57:11.062Z",
"dateReserved": "2026-05-29T15:37:04.097Z",
"dateUpdated": "2026-07-13T07:57:11.062Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10085 (GCVE-0-2026-10085)
Vulnerability from nvd – Published: 2026-07-13 08:05 – Updated: 2026-07-13 13:57
VLAI
EPSS
VEX
Title
Ordinary group/direct message member can enable group_constrained and remove all channel participants
Summary
Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to restrict the group_constrained channel flag to public and private channels that support group synchronization, which allows an ordinary group or direct message member to remove all participants from the conversation via the channel patch API.. Mattermost Advisory ID: MMSA-2026-00688
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
11.7.0 , ≤ 11.7.2
(semver)
Affected: 11.6.0 , ≤ 11.6.4 (semver) Affected: 10.11.0 , ≤ 10.11.19 (semver) Unaffected: 11.8.0 Unaffected: 11.7.3 Unaffected: 11.6.5 Unaffected: 10.11.20 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10085",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-13T13:56:53.842683Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T13:57:00.893Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.7.2",
"status": "affected",
"version": "11.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.6.4",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.19",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.8.0"
},
{
"status": "unaffected",
"version": "11.7.3"
},
{
"status": "unaffected",
"version": "11.6.5"
},
{
"status": "unaffected",
"version": "10.11.20"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "se1en"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 11.7.x \u003c= 11.7.2, 11.6.x \u003c= 11.6.4, 10.11.x \u003c= 10.11.19 fail to restrict the group_constrained channel flag to public and private channels that support group synchronization, which allows an ordinary group or direct message member to remove all participants from the conversation via the channel patch API.. Mattermost Advisory ID: MMSA-2026-00688"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T08:05:42.370Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00688",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.8.0, 11.7.3, 11.6.5, 10.11.20 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00688",
"defect": [
"https://mattermost.atlassian.net/browse/MM-69050"
],
"discovery": "EXTERNAL"
},
"title": "Ordinary group/direct message member can enable group_constrained and remove all channel participants",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-10085",
"datePublished": "2026-07-13T08:05:42.370Z",
"dateReserved": "2026-05-29T11:54:45.722Z",
"dateUpdated": "2026-07-13T13:57:00.893Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9699 (GCVE-0-2026-9699)
Vulnerability from nvd – Published: 2026-06-26 14:43 – Updated: 2026-06-26 15:40
VLAI
EPSS
VEX
Title
Mattermost Agents plugin logs unsanitized OpenAI API keys on authentication errors
Summary
Mattermost Plugins versions <=11.6 10.18.11 11.3.6 11.6.5.0 fail to sanitize error responses from the OpenAI API before logging, which allows a user with access to server logs or support packets to obtain a valid or partially reconstructable OpenAI API key via inspection of mattermost.log entries generated during authentication failures. Mattermost Advisory ID: MMSA-2026-00609
Severity
6.8 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-532 - Insertion of Sensitive Information into Log Files
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
0 , ≤ 10.18.11
(semver)
Affected: 0 , ≤ 11.3.6 (semver) Affected: 0 , ≤ 11.6.5 (semver) Unaffected: 11.7.0 Unaffected: 10.11.19 Unaffected: 11.6.4 Unaffected: 11.5.7 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9699",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T15:40:45.502984Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T15:40:52.251Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "10.18.11",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.3.6",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.6.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.7.0"
},
{
"status": "unaffected",
"version": "10.11.19"
},
{
"status": "unaffected",
"version": "11.6.4"
},
{
"status": "unaffected",
"version": "11.5.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Edgar Bellot Mic\u00f3"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost Plugins versions \u003c=11.6 10.18.11 11.3.6 11.6.5.0 fail to sanitize error responses from the OpenAI API before logging, which allows a user with access to server logs or support packets to obtain a valid or partially reconstructable OpenAI API key via inspection of mattermost.log entries generated during authentication failures. Mattermost Advisory ID: MMSA-2026-00609"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log Files",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T14:43:51.702Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00609",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost Plugins to versions 11.7.0, 10.11.19, 11.6.4, 11.5.7 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00609",
"defect": [
"https://mattermost.atlassian.net/browse/MM-67547"
],
"discovery": "{\"self\"=\u003e\"https://mattermost.atlassian.net/rest/api/2/customFieldOption/10557\", \"value\"=\u003e\"Internal\", \"id\"=\u003e\"10557\"}"
},
"title": "Mattermost Agents plugin logs unsanitized OpenAI API keys on authentication errors",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-9699",
"datePublished": "2026-06-26T14:43:51.702Z",
"dateReserved": "2026-05-27T12:08:53.502Z",
"dateUpdated": "2026-06-26T15:40:52.251Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4339 (GCVE-0-2026-4339)
Vulnerability from nvd – Published: 2026-06-26 14:44 – Updated: 2026-06-26 15:40
VLAI
EPSS
VEX
Title
SSRF via unvalidated attachment URLs in Mattermost Agents plugin MCP server
Summary
Mattermost versions 10.11.x <= 10.11.18, 11.6.x <= 11.6.3, 11.5.x <= 11.5.6 fail to validate attachment URLs against internal or private IP ranges in the Mattermost Agents plugin MCP server which allows an attacker with access to the MCP server in stdio mode to perform server-side request forgery (SSRF) and exfiltrate data from internal network services via supplying internal URLs as file attachments in post creation requests.. Mattermost Advisory ID: MMSA-2026-00635
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
10.11.0 , ≤ 10.11.18
(semver)
Affected: 11.6.0 , ≤ 11.6.3 (semver) Affected: 11.5.0 , ≤ 11.5.6 (semver) Unaffected: 11.7.0 Unaffected: 10.11.19 Unaffected: 11.6.4 Unaffected: 11.5.7 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4339",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T15:40:26.600436Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T15:40:33.300Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "10.11.18",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.6.3",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.5.6",
"status": "affected",
"version": "11.5.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.7.0"
},
{
"status": "unaffected",
"version": "10.11.19"
},
{
"status": "unaffected",
"version": "11.6.4"
},
{
"status": "unaffected",
"version": "11.5.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "s00me00ne"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 10.11.x \u003c= 10.11.18, 11.6.x \u003c= 11.6.3, 11.5.x \u003c= 11.5.6 fail to validate attachment URLs against internal or private IP ranges in the Mattermost Agents plugin MCP server which allows an attacker with access to the MCP server in stdio mode to perform server-side request forgery (SSRF) and exfiltrate data from internal network services via supplying internal URLs as file attachments in post creation requests.. Mattermost Advisory ID: MMSA-2026-00635"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T14:44:58.655Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00635",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.7.0, 10.11.19, 11.6.4, 11.5.7 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00635",
"defect": [
"https://mattermost.atlassian.net/browse/MM-67950"
],
"discovery": "EXTERNAL"
},
"title": "SSRF via unvalidated attachment URLs in Mattermost Agents plugin MCP server",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-4339",
"datePublished": "2026-06-26T14:44:58.655Z",
"dateReserved": "2026-03-17T14:57:10.575Z",
"dateUpdated": "2026-06-26T15:40:33.300Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3472 (GCVE-0-2026-3472)
Vulnerability from nvd – Published: 2026-06-26 14:42 – Updated: 2026-06-26 15:41
VLAI
EPSS
VEX
Title
Markdown image rendering bypass in AI bot tool result posts in Mattermost
Summary
Mattermost versions 10.11.x <= 10.11.18, 11.6.x <= 11.6.3, 11.5.x <= 11.5.6 fail to properly apply markdown image rendering restrictions to AI bot tool result posts, which allows an authenticated attacker to exfiltrate data to an attacker-controlled server via injecting markdown image syntax into tool result content rendered by a victim's client.. Mattermost Advisory ID: MMSA-2026-00619
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-693 - Protection Mechanism Failure
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
10.11.0 , ≤ 10.11.18
(semver)
Affected: 11.6.0 , ≤ 11.6.3 (semver) Affected: 11.5.0 , ≤ 11.5.6 (semver) Unaffected: 11.7.0 Unaffected: 10.11.19 Unaffected: 11.6.4 Unaffected: 11.5.7 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3472",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T15:41:02.864491Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T15:41:09.780Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "10.11.18",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.6.3",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.5.6",
"status": "affected",
"version": "11.5.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.7.0"
},
{
"status": "unaffected",
"version": "10.11.19"
},
{
"status": "unaffected",
"version": "11.6.4"
},
{
"status": "unaffected",
"version": "11.5.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juho Fors\u00e9n"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 10.11.x \u003c= 10.11.18, 11.6.x \u003c= 11.6.3, 11.5.x \u003c= 11.5.6 fail to properly apply markdown image rendering restrictions to AI bot tool result posts, which allows an authenticated attacker to exfiltrate data to an attacker-controlled server via injecting markdown image syntax into tool result content rendered by a victim\u0027s client.. Mattermost Advisory ID: MMSA-2026-00619"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693: Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T14:42:24.154Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00619",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.7.0, 10.11.19, 11.6.4, 11.5.7 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00619",
"defect": [
"https://mattermost.atlassian.net/browse/MM-67751"
],
"discovery": "{\"self\"=\u003e\"https://mattermost.atlassian.net/rest/api/2/customFieldOption/10557\", \"value\"=\u003e\"Internal\", \"id\"=\u003e\"10557\"}"
},
"title": "Markdown image rendering bypass in AI bot tool result posts in Mattermost",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-3472",
"datePublished": "2026-06-26T14:42:24.154Z",
"dateReserved": "2026-03-03T11:25:53.785Z",
"dateUpdated": "2026-06-26T15:41:09.780Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13426 (GCVE-0-2026-13426)
Vulnerability from nvd – Published: 2026-06-26 13:47 – Updated: 2026-06-26 14:39
VLAI
EPSS
VEX
Title
Client4 fails to validate path parameters
Summary
The Mattermost Go module github.com/mattermost/mattermost/server/public versions < v0.1.22 fail to validate path parameters when constructing API route paths which allows an attacker to redirect API calls to unintended endpoints via crafted IDs containing path traversal components. Mattermost Advisory ID: MMSA-2025-00532
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | github.com/mattermost/mattermost/server/public |
Affected:
v0.0.0 , < v0.1.22
(semver)
Unaffected: v0.1.22 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13426",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T14:38:53.805003Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T14:39:00.126Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "github.com/mattermost/mattermost/server/public",
"vendor": "Mattermost",
"versions": [
{
"lessThan": "v0.1.22",
"status": "affected",
"version": "v0.0.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "v0.1.22"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juho Fors\u00e9n"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Mattermost Go module github.com/mattermost/mattermost/server/public versions \u003c v0.1.22 fail to validate path parameters when constructing API route paths which allows an attacker to redirect API calls to unintended endpoints via crafted IDs containing path traversal components. Mattermost Advisory ID: MMSA-2025-00532"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T13:47:10.090Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2025-00532",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update the github.com/mattermost/mattermost/server/public module to v0.1.22 or higher."
}
],
"source": {
"advisory": "MMSA-2025-00532",
"defect": [
"https://mattermost.atlassian.net/browse/MM-65969"
],
"discovery": "{\"self\"=\u003e\"https://mattermost.atlassian.net/rest/api/2/customFieldOption/10557\", \"value\"=\u003e\"Internal\", \"id\"=\u003e\"10557\"}"
},
"title": "Client4 fails to validate path parameters"
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-13426",
"datePublished": "2026-06-26T13:47:10.090Z",
"dateReserved": "2026-06-26T13:32:10.276Z",
"dateUpdated": "2026-06-26T14:39:00.126Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2299 (GCVE-0-2026-2299)
Vulnerability from nvd – Published: 2026-06-25 18:55 – Updated: 2026-06-26 14:05
VLAI
EPSS
VEX
Title
Improper Access Control in Mattermost Google Drive Plugin File Creation Endpoint
Summary
The Mattermost Google Drive plugin before version 1.1.0 fails to validate channel membership in the file creation endpoint, allowing authenticated users with a connected Google account to share Google Drive files to unauthorized private channels and disclose private channel membership.
Severity
4.2 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost Google Drive Plugin |
Affected:
0 , ≤ 1.0.0
(semver)
Unaffected: 1.1.0 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2299",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T14:04:57.007408Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T14:05:09.476Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost Google Drive Plugin",
"repo": "https://github.com/mattermost/mattermost-plugin-google-drive",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "1.0.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "1.1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lorenzo Gallegos"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Mattermost Google Drive plugin before version 1.1.0 fails to validate channel membership in the file creation endpoint, allowing authenticated users with a connected Google account to share Google Drive files to unauthorized private channels and disclose private channel membership."
}
],
"value": "The Mattermost Google Drive plugin before version 1.1.0 fails to validate channel membership in the file creation endpoint, allowing authenticated users with a connected Google account to share Google Drive files to unauthorized private channels and disclose private channel membership."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T18:55:11.905Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://github.com/mattermost/mattermost-plugin-google-drive/releases/tag/v1.1.0"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Google Drive plugin to version 1.1.0 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Google Drive plugin to version 1.1.0 or higher."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Improper Access Control in Mattermost Google Drive Plugin File Creation Endpoint",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-2299",
"datePublished": "2026-06-25T18:55:11.905Z",
"dateReserved": "2026-02-10T16:46:56.322Z",
"dateUpdated": "2026-06-26T14:05:09.476Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6541 (GCVE-0-2026-6541)
Vulnerability from cvelistv5 – Published: 2026-07-13 10:53 – Updated: 2026-07-13 13:09
VLAI
EPSS
VEX
Title
Unscoped updates to other playbooks' metric configuration
Summary
Mattermost versions 11.7.x <= 11.7.1, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to restrict metric configuration changes to the playbook being saved, which allows an authenticated user with team access to alter another user’s playbook metric settings via a crafted import or update request with a foreign metric ID. Mattermost Advisory ID: MMSA-2026-00653
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
11.7.0 , ≤ 11.7.1
(semver)
Affected: 11.6.0 , ≤ 11.6.4 (semver) Affected: 10.11.0 , ≤ 10.11.19 (semver) Unaffected: 11.8.0 Unaffected: 11.7.2 Unaffected: 11.6.5 Unaffected: 10.11.20 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6541",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-13T13:09:03.398556Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T13:09:10.482Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.7.1",
"status": "affected",
"version": "11.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.6.4",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.19",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.8.0"
},
{
"status": "unaffected",
"version": "11.7.2"
},
{
"status": "unaffected",
"version": "11.6.5"
},
{
"status": "unaffected",
"version": "10.11.20"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "hfreak_s"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 11.7.x \u003c= 11.7.1, 11.6.x \u003c= 11.6.4, 10.11.x \u003c= 10.11.19 fail to restrict metric configuration changes to the playbook being saved, which allows an authenticated user with team access to alter another user\u2019s playbook metric settings via a crafted import or update request with a foreign metric ID. Mattermost Advisory ID: MMSA-2026-00653"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T10:53:15.958Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00653",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.8.0, 11.7.2, 11.6.5, 10.11.20 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00653",
"defect": [
"https://mattermost.atlassian.net/browse/MM-68371"
],
"discovery": "EXTERNAL"
},
"title": "Unscoped updates to other playbooks\u0027 metric configuration",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-6541",
"datePublished": "2026-07-13T10:53:15.958Z",
"dateReserved": "2026-04-17T17:54:44.831Z",
"dateUpdated": "2026-07-13T13:09:10.482Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9820 (GCVE-0-2026-9820)
Vulnerability from cvelistv5 – Published: 2026-07-13 10:51 – Updated: 2026-07-13 13:09
VLAI
EPSS
VEX
Title
Mattermost schemes teams endpoint exposes private team invite IDs
Summary
Mattermost versions 11.7.x <= 11.7.2, 10.11.x <= 10.11.19 fail to sanitize team objects returned by the scheme teams endpoint, which allows a user with the User Manager role to obtain invite links for private teams and use them to join or share access to those teams via the scheme teams API endpoint.. Mattermost Advisory ID: MMSA-2026-00671
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
11.7.0 , ≤ 11.7.2
(semver)
Affected: 10.11.0 , ≤ 10.11.19 (semver) Unaffected: 11.8.0 Unaffected: 11.7.3 Unaffected: 10.11.20 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9820",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-13T13:09:24.482863Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T13:09:31.383Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.7.2",
"status": "affected",
"version": "11.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.19",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.8.0"
},
{
"status": "unaffected",
"version": "11.7.3"
},
{
"status": "unaffected",
"version": "10.11.20"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "0x7oda7123"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 11.7.x \u003c= 11.7.2, 10.11.x \u003c= 10.11.19 fail to sanitize team objects returned by the scheme teams endpoint, which allows a user with the User Manager role to obtain invite links for private teams and use them to join or share access to those teams via the scheme teams API endpoint.. Mattermost Advisory ID: MMSA-2026-00671"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T10:51:34.023Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00671",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.8.0, 11.7.3, 10.11.20 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00671",
"defect": [
"https://mattermost.atlassian.net/browse/MM-68824"
],
"discovery": "EXTERNAL"
},
"title": "Mattermost schemes teams endpoint exposes private team invite IDs",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-9820",
"datePublished": "2026-07-13T10:51:34.023Z",
"dateReserved": "2026-05-28T11:26:12.173Z",
"dateUpdated": "2026-07-13T13:09:31.383Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9824 (GCVE-0-2026-9824)
Vulnerability from cvelistv5 – Published: 2026-07-13 10:47 – Updated: 2026-07-13 13:10
VLAI
EPSS
VEX
Title
Remote cluster metadata enumeration via /share-channel autocomplete
Summary
Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to check the manage_shared_channels permission in the /share-channel autocomplete handler, which allows an authenticated user without that permission to enumerate configured remote cluster connection metadata via slash command autocomplete.. Mattermost Advisory ID: MMSA-2026-00676
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
11.7.0 , ≤ 11.7.2
(semver)
Affected: 11.6.0 , ≤ 11.6.4 (semver) Affected: 10.11.0 , ≤ 10.11.19 (semver) Unaffected: 11.8.0 Unaffected: 11.7.3 Unaffected: 11.6.5 Unaffected: 10.11.20 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9824",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-13T13:10:30.276593Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T13:10:35.463Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.7.2",
"status": "affected",
"version": "11.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.6.4",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.19",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.8.0"
},
{
"status": "unaffected",
"version": "11.7.3"
},
{
"status": "unaffected",
"version": "11.6.5"
},
{
"status": "unaffected",
"version": "10.11.20"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "adamsec-dev"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 11.7.x \u003c= 11.7.2, 11.6.x \u003c= 11.6.4, 10.11.x \u003c= 10.11.19 fail to check the manage_shared_channels permission in the /share-channel autocomplete handler, which allows an authenticated user without that permission to enumerate configured remote cluster connection metadata via slash command autocomplete.. Mattermost Advisory ID: MMSA-2026-00676"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T10:47:33.070Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00676",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.8.0, 11.7.3, 11.6.5, 10.11.20 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00676",
"defect": [
"https://mattermost.atlassian.net/browse/MM-68827"
],
"discovery": "EXTERNAL"
},
"title": "Remote cluster metadata enumeration via /share-channel autocomplete",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-9824",
"datePublished": "2026-07-13T10:47:33.070Z",
"dateReserved": "2026-05-28T11:32:33.594Z",
"dateUpdated": "2026-07-13T13:10:35.463Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9597 (GCVE-0-2026-9597)
Vulnerability from cvelistv5 – Published: 2026-07-13 08:17 – Updated: 2026-07-13 13:55
VLAI
EPSS
VEX
Title
Deactivated guest accounts can authenticate via magic-link token in Mattermost REST API login endpoint
Summary
Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4 fail to verify whether a guest account is deactivated before creating a session in the magic-link token login path, which allows a deactivated guest user to obtain a fully functional session via a magic-link token issued prior to deactivation.. Mattermost Advisory ID: MMSA-2026-00681
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-305 - – Authentication Bypass by Primary Weakness
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
11.7.0 , ≤ 11.7.2
(semver)
Affected: 11.6.0 , ≤ 11.6.4 (semver) Unaffected: 11.8.0 Unaffected: 11.7.3 Unaffected: 11.6.5 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9597",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-13T13:55:09.692643Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T13:55:15.448Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.7.2",
"status": "affected",
"version": "11.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.6.4",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.8.0"
},
{
"status": "unaffected",
"version": "11.7.3"
},
{
"status": "unaffected",
"version": "11.6.5"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "alimursaliyev"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 11.7.x \u003c= 11.7.2, 11.6.x \u003c= 11.6.4 fail to verify whether a guest account is deactivated before creating a session in the magic-link token login path, which allows a deactivated guest user to obtain a fully functional session via a magic-link token issued prior to deactivation.. Mattermost Advisory ID: MMSA-2026-00681"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-305",
"description": "CWE-305 \u2013 Authentication Bypass by Primary Weakness",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T08:17:36.717Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00681",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.8.0, 11.7.3, 11.6.5 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00681",
"defect": [
"https://mattermost.atlassian.net/browse/MM-68994"
],
"discovery": "EXTERNAL"
},
"title": "Deactivated guest accounts can authenticate via magic-link token in Mattermost REST API login endpoint",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-9597",
"datePublished": "2026-07-13T08:17:36.717Z",
"dateReserved": "2026-05-26T15:15:14.343Z",
"dateUpdated": "2026-07-13T13:55:15.448Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6850 (GCVE-0-2026-6850)
Vulnerability from cvelistv5 – Published: 2026-07-13 08:13 – Updated: 2026-07-13 13:56
VLAI
EPSS
VEX
Title
Crafted message attachment causes client-side denial of service via markdown parser regex backtracking in Mattermost
Summary
Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to validate the length and content of message attachment field values, which allows an authenticated attacker to cause a denial of service for all users in a channel via a post containing a specially crafted payload that triggers catastrophic backtracking in the client-side markdown parser.. Mattermost Advisory ID: MMSA-2026-00658
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1333 - Inefficient Regular Expression Complexity
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
11.7.0 , ≤ 11.7.2
(semver)
Affected: 11.6.0 , ≤ 11.6.4 (semver) Affected: 10.11.0 , ≤ 10.11.19 (semver) Unaffected: 11.8.0 Unaffected: 11.7.3 Unaffected: 11.6.5 Unaffected: 10.11.20 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6850",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-13T13:56:09.905130Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T13:56:16.767Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.7.2",
"status": "affected",
"version": "11.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.6.4",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.19",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.8.0"
},
{
"status": "unaffected",
"version": "11.7.3"
},
{
"status": "unaffected",
"version": "11.6.5"
},
{
"status": "unaffected",
"version": "10.11.20"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "idr"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 11.7.x \u003c= 11.7.2, 11.6.x \u003c= 11.6.4, 10.11.x \u003c= 10.11.19 fail to validate the length and content of message attachment field values, which allows an authenticated attacker to cause a denial of service for all users in a channel via a post containing a specially crafted payload that triggers catastrophic backtracking in the client-side markdown parser.. Mattermost Advisory ID: MMSA-2026-00658"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333: Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T08:13:02.883Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00658",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.8.0, 11.7.3, 11.6.5, 10.11.20 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00658",
"defect": [
"https://mattermost.atlassian.net/browse/MM-68424"
],
"discovery": "EXTERNAL"
},
"title": "Crafted message attachment causes client-side denial of service via markdown parser regex backtracking in Mattermost",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-6850",
"datePublished": "2026-07-13T08:13:02.883Z",
"dateReserved": "2026-04-22T10:05:15.625Z",
"dateUpdated": "2026-07-13T13:56:16.767Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10106 (GCVE-0-2026-10106)
Vulnerability from cvelistv5 – Published: 2026-07-13 08:09 – Updated: 2026-07-13 13:56
VLAI
EPSS
VEX
Title
Unauthorized users can trigger interactive post actions in private channels via action cookie channel mismatch in Mattermost
Summary
Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to verify that the channel referenced in an action cookie matches the channel of the target post, which allows an authenticated user without access to a private channel to trigger interactive post actions on posts in that channel via a cookie obtained from any accessible channel.. Mattermost Advisory ID: MMSA-2026-00690
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
11.7.0 , ≤ 11.7.2
(semver)
Affected: 11.6.0 , ≤ 11.6.4 (semver) Affected: 10.11.0 , ≤ 10.11.19 (semver) Unaffected: 11.8.0 Unaffected: 11.7.3 Unaffected: 11.6.5 Unaffected: 10.11.20 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10106",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-13T13:56:34.893294Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T13:56:41.047Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.7.2",
"status": "affected",
"version": "11.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.6.4",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.19",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.8.0"
},
{
"status": "unaffected",
"version": "11.7.3"
},
{
"status": "unaffected",
"version": "11.6.5"
},
{
"status": "unaffected",
"version": "10.11.20"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "minghseinyuc86595"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 11.7.x \u003c= 11.7.2, 11.6.x \u003c= 11.6.4, 10.11.x \u003c= 10.11.19 fail to verify that the channel referenced in an action cookie matches the channel of the target post, which allows an authenticated user without access to a private channel to trigger interactive post actions on posts in that channel via a cookie obtained from any accessible channel.. Mattermost Advisory ID: MMSA-2026-00690"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T08:09:58.717Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00690",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.8.0, 11.7.3, 11.6.5, 10.11.20 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00690",
"defect": [
"https://mattermost.atlassian.net/browse/MM-69059"
],
"discovery": "EXTERNAL"
},
"title": "Unauthorized users can trigger interactive post actions in private channels via action cookie channel mismatch in Mattermost",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-10106",
"datePublished": "2026-07-13T08:09:58.717Z",
"dateReserved": "2026-05-29T16:06:43.719Z",
"dateUpdated": "2026-07-13T13:56:41.047Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10085 (GCVE-0-2026-10085)
Vulnerability from cvelistv5 – Published: 2026-07-13 08:05 – Updated: 2026-07-13 13:57
VLAI
EPSS
VEX
Title
Ordinary group/direct message member can enable group_constrained and remove all channel participants
Summary
Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to restrict the group_constrained channel flag to public and private channels that support group synchronization, which allows an ordinary group or direct message member to remove all participants from the conversation via the channel patch API.. Mattermost Advisory ID: MMSA-2026-00688
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
11.7.0 , ≤ 11.7.2
(semver)
Affected: 11.6.0 , ≤ 11.6.4 (semver) Affected: 10.11.0 , ≤ 10.11.19 (semver) Unaffected: 11.8.0 Unaffected: 11.7.3 Unaffected: 11.6.5 Unaffected: 10.11.20 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10085",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-13T13:56:53.842683Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T13:57:00.893Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.7.2",
"status": "affected",
"version": "11.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.6.4",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.19",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.8.0"
},
{
"status": "unaffected",
"version": "11.7.3"
},
{
"status": "unaffected",
"version": "11.6.5"
},
{
"status": "unaffected",
"version": "10.11.20"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "se1en"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 11.7.x \u003c= 11.7.2, 11.6.x \u003c= 11.6.4, 10.11.x \u003c= 10.11.19 fail to restrict the group_constrained channel flag to public and private channels that support group synchronization, which allows an ordinary group or direct message member to remove all participants from the conversation via the channel patch API.. Mattermost Advisory ID: MMSA-2026-00688"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T08:05:42.370Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00688",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.8.0, 11.7.3, 11.6.5, 10.11.20 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00688",
"defect": [
"https://mattermost.atlassian.net/browse/MM-69050"
],
"discovery": "EXTERNAL"
},
"title": "Ordinary group/direct message member can enable group_constrained and remove all channel participants",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-10085",
"datePublished": "2026-07-13T08:05:42.370Z",
"dateReserved": "2026-05-29T11:54:45.722Z",
"dateUpdated": "2026-07-13T13:57:00.893Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9708 (GCVE-0-2026-9708)
Vulnerability from cvelistv5 – Published: 2026-07-13 08:00 – Updated: 2026-07-13 14:45
VLAI
EPSS
VEX
Title
Incoming webhook user attribution via unvalidated webhook owner
Summary
Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to validate that an assigned incoming webhook user has access to the target team or channel, which allows a requester with webhook management permissions to create posts or direct messages attributed to another user via crafted incoming webhook configuration and payloads.. Mattermost Advisory ID: MMSA-2026-00683
Severity
4.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
11.7.0 , ≤ 11.7.2
(semver)
Affected: 11.6.0 , ≤ 11.6.4 (semver) Affected: 10.11.0 , ≤ 10.11.19 (semver) Unaffected: 11.8.0 Unaffected: 11.7.3 Unaffected: 11.6.5 Unaffected: 10.11.20 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9708",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-13T14:44:57.510921Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T14:45:16.207Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.7.2",
"status": "affected",
"version": "11.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.6.4",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.19",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.8.0"
},
{
"status": "unaffected",
"version": "11.7.3"
},
{
"status": "unaffected",
"version": "11.6.5"
},
{
"status": "unaffected",
"version": "10.11.20"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "arang"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 11.7.x \u003c= 11.7.2, 11.6.x \u003c= 11.6.4, 10.11.x \u003c= 10.11.19 fail to validate that an assigned incoming webhook user has access to the target team or channel, which allows a requester with webhook management permissions to create posts or direct messages attributed to another user via crafted incoming webhook configuration and payloads.. Mattermost Advisory ID: MMSA-2026-00683"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T08:00:10.707Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00683",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.8.0, 11.7.3, 11.6.5, 10.11.20 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00683",
"defect": [
"https://mattermost.atlassian.net/browse/MM-69009"
],
"discovery": "EXTERNAL"
},
"title": "Incoming webhook user attribution via unvalidated webhook owner",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-9708",
"datePublished": "2026-07-13T08:00:10.707Z",
"dateReserved": "2026-05-27T13:46:27.399Z",
"dateUpdated": "2026-07-13T14:45:16.207Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10103 (GCVE-0-2026-10103)
Vulnerability from cvelistv5 – Published: 2026-07-13 07:57 – Updated: 2026-07-13 07:57
VLAI
EPSS
VEX
Title
Authenticated remote cluster can modify or delete posts it does not own in Mattermost Connected Workspaces shared channels
Summary
Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to verify post ownership in the shared channel inbound sync handler, which allows an authenticated remote cluster to modify or delete posts authored by local users or other remotes via crafted sync messages referencing arbitrary post IDs in channels shared with that remote.. Mattermost Advisory ID: MMSA-2026-00689
Severity
4.3 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
11.7.0 , ≤ 11.7.2
(semver)
Affected: 11.6.0 , ≤ 11.6.4 (semver) Affected: 10.11.0 , ≤ 10.11.19 (semver) Unaffected: 11.8.0 Unaffected: 11.7.3 Unaffected: 11.6.5 Unaffected: 10.11.20 |
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.7.2",
"status": "affected",
"version": "11.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.6.4",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.19",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.8.0"
},
{
"status": "unaffected",
"version": "11.7.3"
},
{
"status": "unaffected",
"version": "11.6.5"
},
{
"status": "unaffected",
"version": "10.11.20"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "ratrarity"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 11.7.x \u003c= 11.7.2, 11.6.x \u003c= 11.6.4, 10.11.x \u003c= 10.11.19 fail to verify post ownership in the shared channel inbound sync handler, which allows an authenticated remote cluster to modify or delete posts authored by local users or other remotes via crafted sync messages referencing arbitrary post IDs in channels shared with that remote.. Mattermost Advisory ID: MMSA-2026-00689"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T07:57:11.062Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00689",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.8.0, 11.7.3, 11.6.5, 10.11.20 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00689",
"defect": [
"https://mattermost.atlassian.net/browse/MM-69056"
],
"discovery": "EXTERNAL"
},
"title": "Authenticated remote cluster can modify or delete posts it does not own in Mattermost Connected Workspaces shared channels",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-10103",
"datePublished": "2026-07-13T07:57:11.062Z",
"dateReserved": "2026-05-29T15:37:04.097Z",
"dateUpdated": "2026-07-13T07:57:11.062Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9571 (GCVE-0-2026-9571)
Vulnerability from cvelistv5 – Published: 2026-07-13 07:50 – Updated: 2026-07-13 07:50
VLAI
EPSS
VEX
Title
Deactivated user accounts can continue to obtain valid OAuth access tokens via refresh token grant in Mattermost
Summary
Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to invalidate OAuth refresh tokens upon user account deactivation, which allows a deactivated user or an attacker in possession of a valid refresh token to obtain new functional access tokens via the OAuth refresh token grant endpoint.. Mattermost Advisory ID: MMSA-2026-00680
Severity
5.9 (Medium)
CWE
- CWE-305 - – Authentication Bypass by Primary Weakness
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
11.7.0 , ≤ 11.7.2
(semver)
Affected: 11.6.0 , ≤ 11.6.4 (semver) Affected: 10.11.0 , ≤ 10.11.19 (semver) Unaffected: 11.8.0 Unaffected: 11.7.3 Unaffected: 11.6.5 Unaffected: 10.11.20 |
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.7.2",
"status": "affected",
"version": "11.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.6.4",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.11.19",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.8.0"
},
{
"status": "unaffected",
"version": "11.7.3"
},
{
"status": "unaffected",
"version": "11.6.5"
},
{
"status": "unaffected",
"version": "10.11.20"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "kirs112"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 11.7.x \u003c= 11.7.2, 11.6.x \u003c= 11.6.4, 10.11.x \u003c= 10.11.19 fail to invalidate OAuth refresh tokens upon user account deactivation, which allows a deactivated user or an attacker in possession of a valid refresh token to obtain new functional access tokens via the OAuth refresh token grant endpoint.. Mattermost Advisory ID: MMSA-2026-00680"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-305",
"description": "CWE-305 \u2013 Authentication Bypass by Primary Weakness",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T07:50:55.793Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00680",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.8.0, 11.7.3, 11.6.5, 10.11.20 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00680",
"defect": [
"https://mattermost.atlassian.net/browse/MM-68982"
],
"discovery": "EXTERNAL"
},
"title": "Deactivated user accounts can continue to obtain valid OAuth access tokens via refresh token grant in Mattermost",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-9571",
"datePublished": "2026-07-13T07:50:55.793Z",
"dateReserved": "2026-05-26T11:52:27.228Z",
"dateUpdated": "2026-07-13T07:50:55.793Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4339 (GCVE-0-2026-4339)
Vulnerability from cvelistv5 – Published: 2026-06-26 14:44 – Updated: 2026-06-26 15:40
VLAI
EPSS
VEX
Title
SSRF via unvalidated attachment URLs in Mattermost Agents plugin MCP server
Summary
Mattermost versions 10.11.x <= 10.11.18, 11.6.x <= 11.6.3, 11.5.x <= 11.5.6 fail to validate attachment URLs against internal or private IP ranges in the Mattermost Agents plugin MCP server which allows an attacker with access to the MCP server in stdio mode to perform server-side request forgery (SSRF) and exfiltrate data from internal network services via supplying internal URLs as file attachments in post creation requests.. Mattermost Advisory ID: MMSA-2026-00635
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
10.11.0 , ≤ 10.11.18
(semver)
Affected: 11.6.0 , ≤ 11.6.3 (semver) Affected: 11.5.0 , ≤ 11.5.6 (semver) Unaffected: 11.7.0 Unaffected: 10.11.19 Unaffected: 11.6.4 Unaffected: 11.5.7 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4339",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T15:40:26.600436Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T15:40:33.300Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "10.11.18",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.6.3",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.5.6",
"status": "affected",
"version": "11.5.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.7.0"
},
{
"status": "unaffected",
"version": "10.11.19"
},
{
"status": "unaffected",
"version": "11.6.4"
},
{
"status": "unaffected",
"version": "11.5.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "s00me00ne"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 10.11.x \u003c= 10.11.18, 11.6.x \u003c= 11.6.3, 11.5.x \u003c= 11.5.6 fail to validate attachment URLs against internal or private IP ranges in the Mattermost Agents plugin MCP server which allows an attacker with access to the MCP server in stdio mode to perform server-side request forgery (SSRF) and exfiltrate data from internal network services via supplying internal URLs as file attachments in post creation requests.. Mattermost Advisory ID: MMSA-2026-00635"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T14:44:58.655Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00635",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.7.0, 10.11.19, 11.6.4, 11.5.7 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00635",
"defect": [
"https://mattermost.atlassian.net/browse/MM-67950"
],
"discovery": "EXTERNAL"
},
"title": "SSRF via unvalidated attachment URLs in Mattermost Agents plugin MCP server",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-4339",
"datePublished": "2026-06-26T14:44:58.655Z",
"dateReserved": "2026-03-17T14:57:10.575Z",
"dateUpdated": "2026-06-26T15:40:33.300Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9699 (GCVE-0-2026-9699)
Vulnerability from cvelistv5 – Published: 2026-06-26 14:43 – Updated: 2026-06-26 15:40
VLAI
EPSS
VEX
Title
Mattermost Agents plugin logs unsanitized OpenAI API keys on authentication errors
Summary
Mattermost Plugins versions <=11.6 10.18.11 11.3.6 11.6.5.0 fail to sanitize error responses from the OpenAI API before logging, which allows a user with access to server logs or support packets to obtain a valid or partially reconstructable OpenAI API key via inspection of mattermost.log entries generated during authentication failures. Mattermost Advisory ID: MMSA-2026-00609
Severity
6.8 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-532 - Insertion of Sensitive Information into Log Files
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
0 , ≤ 10.18.11
(semver)
Affected: 0 , ≤ 11.3.6 (semver) Affected: 0 , ≤ 11.6.5 (semver) Unaffected: 11.7.0 Unaffected: 10.11.19 Unaffected: 11.6.4 Unaffected: 11.5.7 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9699",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T15:40:45.502984Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T15:40:52.251Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "10.18.11",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.3.6",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.6.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.7.0"
},
{
"status": "unaffected",
"version": "10.11.19"
},
{
"status": "unaffected",
"version": "11.6.4"
},
{
"status": "unaffected",
"version": "11.5.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Edgar Bellot Mic\u00f3"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost Plugins versions \u003c=11.6 10.18.11 11.3.6 11.6.5.0 fail to sanitize error responses from the OpenAI API before logging, which allows a user with access to server logs or support packets to obtain a valid or partially reconstructable OpenAI API key via inspection of mattermost.log entries generated during authentication failures. Mattermost Advisory ID: MMSA-2026-00609"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log Files",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T14:43:51.702Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00609",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost Plugins to versions 11.7.0, 10.11.19, 11.6.4, 11.5.7 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00609",
"defect": [
"https://mattermost.atlassian.net/browse/MM-67547"
],
"discovery": "{\"self\"=\u003e\"https://mattermost.atlassian.net/rest/api/2/customFieldOption/10557\", \"value\"=\u003e\"Internal\", \"id\"=\u003e\"10557\"}"
},
"title": "Mattermost Agents plugin logs unsanitized OpenAI API keys on authentication errors",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-9699",
"datePublished": "2026-06-26T14:43:51.702Z",
"dateReserved": "2026-05-27T12:08:53.502Z",
"dateUpdated": "2026-06-26T15:40:52.251Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3472 (GCVE-0-2026-3472)
Vulnerability from cvelistv5 – Published: 2026-06-26 14:42 – Updated: 2026-06-26 15:41
VLAI
EPSS
VEX
Title
Markdown image rendering bypass in AI bot tool result posts in Mattermost
Summary
Mattermost versions 10.11.x <= 10.11.18, 11.6.x <= 11.6.3, 11.5.x <= 11.5.6 fail to properly apply markdown image rendering restrictions to AI bot tool result posts, which allows an authenticated attacker to exfiltrate data to an attacker-controlled server via injecting markdown image syntax into tool result content rendered by a victim's client.. Mattermost Advisory ID: MMSA-2026-00619
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-693 - Protection Mechanism Failure
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
10.11.0 , ≤ 10.11.18
(semver)
Affected: 11.6.0 , ≤ 11.6.3 (semver) Affected: 11.5.0 , ≤ 11.5.6 (semver) Unaffected: 11.7.0 Unaffected: 10.11.19 Unaffected: 11.6.4 Unaffected: 11.5.7 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3472",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T15:41:02.864491Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T15:41:09.780Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "10.11.18",
"status": "affected",
"version": "10.11.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.6.3",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.5.6",
"status": "affected",
"version": "11.5.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.7.0"
},
{
"status": "unaffected",
"version": "10.11.19"
},
{
"status": "unaffected",
"version": "11.6.4"
},
{
"status": "unaffected",
"version": "11.5.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juho Fors\u00e9n"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 10.11.x \u003c= 10.11.18, 11.6.x \u003c= 11.6.3, 11.5.x \u003c= 11.5.6 fail to properly apply markdown image rendering restrictions to AI bot tool result posts, which allows an authenticated attacker to exfiltrate data to an attacker-controlled server via injecting markdown image syntax into tool result content rendered by a victim\u0027s client.. Mattermost Advisory ID: MMSA-2026-00619"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693: Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T14:42:24.154Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00619",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.7.0, 10.11.19, 11.6.4, 11.5.7 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00619",
"defect": [
"https://mattermost.atlassian.net/browse/MM-67751"
],
"discovery": "{\"self\"=\u003e\"https://mattermost.atlassian.net/rest/api/2/customFieldOption/10557\", \"value\"=\u003e\"Internal\", \"id\"=\u003e\"10557\"}"
},
"title": "Markdown image rendering bypass in AI bot tool result posts in Mattermost",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-3472",
"datePublished": "2026-06-26T14:42:24.154Z",
"dateReserved": "2026-03-03T11:25:53.785Z",
"dateUpdated": "2026-06-26T15:41:09.780Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13426 (GCVE-0-2026-13426)
Vulnerability from cvelistv5 – Published: 2026-06-26 13:47 – Updated: 2026-06-26 14:39
VLAI
EPSS
VEX
Title
Client4 fails to validate path parameters
Summary
The Mattermost Go module github.com/mattermost/mattermost/server/public versions < v0.1.22 fail to validate path parameters when constructing API route paths which allows an attacker to redirect API calls to unintended endpoints via crafted IDs containing path traversal components. Mattermost Advisory ID: MMSA-2025-00532
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | github.com/mattermost/mattermost/server/public |
Affected:
v0.0.0 , < v0.1.22
(semver)
Unaffected: v0.1.22 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13426",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T14:38:53.805003Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T14:39:00.126Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "github.com/mattermost/mattermost/server/public",
"vendor": "Mattermost",
"versions": [
{
"lessThan": "v0.1.22",
"status": "affected",
"version": "v0.0.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "v0.1.22"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juho Fors\u00e9n"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Mattermost Go module github.com/mattermost/mattermost/server/public versions \u003c v0.1.22 fail to validate path parameters when constructing API route paths which allows an attacker to redirect API calls to unintended endpoints via crafted IDs containing path traversal components. Mattermost Advisory ID: MMSA-2025-00532"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T13:47:10.090Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2025-00532",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update the github.com/mattermost/mattermost/server/public module to v0.1.22 or higher."
}
],
"source": {
"advisory": "MMSA-2025-00532",
"defect": [
"https://mattermost.atlassian.net/browse/MM-65969"
],
"discovery": "{\"self\"=\u003e\"https://mattermost.atlassian.net/rest/api/2/customFieldOption/10557\", \"value\"=\u003e\"Internal\", \"id\"=\u003e\"10557\"}"
},
"title": "Client4 fails to validate path parameters"
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-13426",
"datePublished": "2026-06-26T13:47:10.090Z",
"dateReserved": "2026-06-26T13:32:10.276Z",
"dateUpdated": "2026-06-26T14:39:00.126Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CERTFR-2026-AVI-0813
Vulnerability from certfr_avis - Published: 2026-06-29 - Updated: 2026-06-29
De multiples vulnérabilités ont été découvertes dans Mattermost Server. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Mattermost | Mattermost Server | Mattermost Server versions 11.7.x antérieures à 11.7.5 | ||
| Mattermost | Mattermost Server | Mattermost Server versions 11.8.x antérieures à 11.8.2 | ||
| Mattermost | Mattermost Server | Mattermost Server versions 11.6.x antérieures à 11.6.6 | ||
| Mattermost | Mattermost Server | Mattermost Server versions 10.11.x antérieures à 10.11.21 |
References
| Title | Publication Time | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Mattermost Server versions 11.7.x ant\u00e9rieures \u00e0 11.7.5",
"product": {
"name": "Mattermost Server",
"vendor": {
"name": "Mattermost",
"scada": false
}
}
},
{
"description": "Mattermost Server versions 11.8.x ant\u00e9rieures \u00e0 11.8.2",
"product": {
"name": "Mattermost Server",
"vendor": {
"name": "Mattermost",
"scada": false
}
}
},
{
"description": "Mattermost Server versions 11.6.x ant\u00e9rieures \u00e0 11.6.6",
"product": {
"name": "Mattermost Server",
"vendor": {
"name": "Mattermost",
"scada": false
}
}
},
{
"description": "Mattermost Server versions 10.11.x ant\u00e9rieures \u00e0 10.11.21",
"product": {
"name": "Mattermost Server",
"vendor": {
"name": "Mattermost",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [],
"initial_release_date": "2026-06-29T00:00:00",
"last_revision_date": "2026-06-29T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0813",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-06-29T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Mattermost Server. Elles permettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Mattermost Server",
"vendor_advisories": [
{
"published_at": "2026-06-26",
"title": "Bulletin de s\u00e9curit\u00e9 Mattermost MMSA-2026-00694",
"url": "https://mattermost.com/security-updates/"
},
{
"published_at": "2026-06-26",
"title": "Bulletin de s\u00e9curit\u00e9 Mattermost MMSA-2026-00681",
"url": "https://mattermost.com/security-updates/"
},
{
"published_at": "2026-06-26",
"title": "Bulletin de s\u00e9curit\u00e9 Mattermost MMSA-2026-00695",
"url": "https://mattermost.com/security-updates/"
},
{
"published_at": "2026-06-26",
"title": "Bulletin de s\u00e9curit\u00e9 Mattermost MMSA-2026-00666",
"url": "https://mattermost.com/security-updates/"
}
]
}