Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Remote cluster must hold authenticated federation credentials (PR:L); only post integrity within shared channels is impacted, with no confidentiality or availability effect.
Primary rating from Vendor (Mattermost).
CVSS VectorVendor: Mattermost
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to verify post ownership in the shared channel inbound sync handler, which allows an authenticated remote cluster to modify or delete posts authored by local users or other remotes via crafted sync messages referencing arbitrary post IDs in channels shared with that remote.. Mattermost Advisory ID: MMSA-2026-00689
AnalysisAI
Post ownership verification is absent in Mattermost's shared channel inbound sync handler, allowing an authenticated remote cluster to forge sync messages that modify or delete posts authored by local users or other federated remotes. Affected versions span the 10.11.x, 11.6.x, and 11.7.x release trains up to and including 10.11.19, 11.6.4, and 11.7.2 respectively. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to control or compromise a Mattermost remote cluster that has an established, administratively configured shared channel relationship with the target instance - this is a non-default feature requiring explicit setup by system administrators on both sides. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned and NVD-recorded CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N yields a score of 4.3 (Medium), which accurately reflects the constrained blast radius: exploitation is network-reachable (AV:N), requires no special conditions beyond established federation (AC:L), but demands an authenticated remote cluster credential (PR:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who controls or has compromised an authenticated Mattermost remote cluster federated with a target organization sends crafted inbound sync messages to the target's shared channel sync handler, embedding arbitrary post IDs belonging to local users or other remotes. Because the handler does not verify post ownership, the target instance processes the modification or deletion as legitimate, silently altering or erasing message history in the shared channel without any action required from the victim users. |
| Remediation | The primary remediation is to upgrade to a patched Mattermost release; exact fixed version numbers are not explicitly enumerated in the available reference data and must be confirmed at https://mattermost.com/security-updates (MMSA-2026-00689) - patch available per vendor advisory. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Mattermost
View allDenial of service in linkify-it (npm) through v5.0.0 lets remote unauthenticated attackers wedge a rendering worker by s
A denial-of-service vulnerability in Mattermost allows an authenticated user to crash the server via multiple large auto
Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded w
Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perf
Fleet is an open source osquery manager. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invit
Dex is a federated OpenID Connect provider written in Go. Rated critical severity (CVSS 9.6), this vulnerability is remo
Improper output escaping in NousResearch Hermes Agent versions up to 2026.4.16 allows remote unauthenticated attackers t
Mattermost 6.3.0 and earlier fails to properly sanitize the HTML content in the email invitation sent to guest users, wh
Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker posse
Privilege escalation in Mattermost server (11.6.x, 11.5.x, and 10.11.x branches) allows a low-privileged user holding gr
Authorization bypass in Mattermost Plugin Legal Hold versions <=1.1.4 allows authenticated attackers to manipulate legal
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43307
GHSA-4h7j-7xp4-wp5p