Skip to main content

Mattermost CVE-2026-27769

| EUVDEUVD-2026-22873 LOW
Missing Authorization (CWE-862)
2026-04-15 Mattermost
2.7
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
2.7 LOW
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 10:56 vuln.today
EUVD ID Assigned
Apr 15, 2026 - 10:45 euvd
EUVD-2026-22873
Analysis Generated
Apr 15, 2026 - 10:45 vuln.today
CVE Published
Apr 15, 2026 - 10:11 nvd
LOW 2.7

DescriptionCVE.org

Mattermost versions 10.11.x <= 10.11.12 fail to validate whether users were correctly owned by the correct Connected Workspace which allows a malicious remote server connected using the Conntexted Workspaces feature to change the displayed status of local users via the Connected Workspaces API.. Mattermost Advisory ID: MMSA-2026-00603

AnalysisAI

Mattermost versions 10.11.0 through 10.11.12 fail to validate workspace ownership during Connected Workspaces API interactions, allowing a malicious remote server with high privileges to modify the displayed status of local users. This affects organizations using the Connected Workspaces federation feature and requires an attacker to already possess high administrative privileges on a connected remote instance. The vulnerability has CVSS 2.7 (low severity) and no public exploit code or active exploitation has been identified.

Technical ContextAI

Mattermost's Connected Workspaces feature enables federation between multiple Mattermost instances via API communication. The vulnerability stems from insufficient authorization checks (CWE-862: Missing Authorization) when processing user status updates through the Connected Workspaces API endpoints. The affected code fails to verify that a requesting remote workspace actually owns or has legitimate authority over the user account being modified. This is a cross-workspace authorization flaw where the application trusts a remote peer without validating the relationship between the remote server's credentials and the target user resource. CPE cpe:2.3:a:mattermost:mattermost indicates all Mattermost product installations running versions 10.11.0 through 10.11.12.

RemediationAI

Upgrade Mattermost to a patched version released after 10.11.12. Consult the Mattermost security advisory at https://mattermost.com/security-updates for the exact fixed version (not independently confirmed from provided data). As an interim mitigation, restrict Connected Workspaces federation to trusted peer instances only and audit user status change logs for unauthorized modifications. Disable Connected Workspaces feature entirely if federation is not required for operational needs. No workaround is available for organizations that must maintain federated workspace connectivity.

CVE-2026-48801 HIGH POC
8.7 Jun 26

Denial of service in linkify-it (npm) through v5.0.0 lets remote unauthenticated attackers wedge a rendering worker by s

CVE-2022-4044 MEDIUM POC
6.5 Nov 23

A denial-of-service vulnerability in Mattermost allows an authenticated user to crash the server via multiple large auto

CVE-2022-3257 MEDIUM POC
6.5 Sep 23

Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded w

CVE-2023-6458 CRITICAL
9.8 Dec 06

Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perf

CVE-2020-26276 CRITICAL
9.8 Dec 17

Fleet is an open source osquery manager. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2024-39777 CRITICAL
9.6 Aug 01

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invit

CVE-2020-26290 CRITICAL
9.6 Dec 28

Dex is a federated OpenID Connect provider written in Go. Rated critical severity (CVSS 9.6), this vulnerability is remo

CVE-2026-9354 MEDIUM POC
5.5 May 24

Improper output escaping in NousResearch Hermes Agent versions up to 2026.4.16 allows remote unauthenticated attackers t

CVE-2022-1002 MEDIUM POC
5.4 Mar 18

Mattermost 6.3.0 and earlier fails to properly sanitize the HTML content in the email invitation sent to guest users, wh

CVE-2023-2193 CRITICAL
9.1 Apr 20

Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker posse

CVE-2026-7387 HIGH
8.8 Jun 12

Privilege escalation in Mattermost server (11.6.x, 11.5.x, and 10.11.x branches) allows a low-privileged user holding gr

CVE-2026-3524 HIGH
8.8 Apr 06

Authorization bypass in Mattermost Plugin Legal Hold versions <=1.1.4 allows authenticated attackers to manipulate legal

Share

CVE-2026-27769 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy