Skip to main content

Mattermost CVE-2026-28759

| EUVDEUVD-2026-30738 MEDIUM
Incorrect Authorization (CWE-863)
2026-05-18 Mattermost GHSA-8h9w-w78c-vvr3
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 18, 2026 - 08:16 vuln.today

DescriptionCVE.org

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate that a remote cluster has access to a channel before processing membership removal requests during shared channel membership sync, which allows a malicious remote cluster to remove any user from any channel, including private channels, via crafted membership sync messages targeting channels the remote cluster is not authorized to access. Mattermost Advisory ID: MMSA-2026-00576

AnalysisAI

Authorization bypass in Mattermost shared channel synchronization allows authenticated remote cluster administrators to remove arbitrary users from any channel, including private channels outside the attacker's authorization scope. Affects versions 11.5.x through 11.5.1, 10.11.x through 10.11.13, and 11.4.x through 11.4.3. CVSS 4.3 reflects the low-privilege requirement (authenticated remote cluster) and limited impact scope (integrity only, no data exposure), though cross-tenant authorization violations in collaboration platforms warrant attention. EPSS data unavailable; no public exploit identified at time of analysis; not listed in CISA KEV.

Technical ContextAI

This vulnerability stems from incorrect authorization (CWE-863) in Mattermost's shared channel synchronization protocol. Shared channels enable federated collaboration between separate Mattermost server clusters, with membership sync messages propagating user additions/removals across cluster boundaries. The affected code path fails to verify that a remote cluster has legitimate access to a target channel before processing membership removal requests. According to the CPE data (cpe:2.3:a:mattermost:mattermost), this affects the core Mattermost server application across three maintenance branches. The CVSS vector (AV:N/AC:L/PR:L) indicates network-accessible exploitation with low attack complexity once an attacker controls an authenticated remote cluster connection. The authorization gap allows privilege escalation beyond intended federation boundaries, violating the principle that cluster-to-cluster trust should not grant unrestricted access to all channels.

RemediationAI

Upgrade to Mattermost version 11.5.2, 10.11.14, or 11.4.4 (specific patch versions inferred from vulnerable version ranges but not independently confirmed-verify exact fix versions at https://mattermost.com/security-updates before deployment). Organizations unable to immediately patch should implement the following compensating controls: disable shared channel functionality entirely via System Console > Experimental > Features > Enable Shared Channels (set to false), which eliminates remote cluster attack surface but breaks federated collaboration workflows; alternatively, audit and restrict remote cluster connections to only trusted partner organizations via System Console > Shared Channels, removing any untrusted or compromised remote clusters from the allowlist. Monitor channel membership changes via audit logs for unexpected removals, particularly in private channels, as indicators of exploitation attempts. Note that disabling shared channels prevents legitimate cross-cluster collaboration and may disrupt business workflows dependent on federation-coordinate with stakeholders before implementing. No workaround exists to selectively protect individual channels while maintaining shared channel functionality, as the vulnerability exists in the core authorization check of the sync protocol.

CVE-2026-48801 HIGH POC
8.7 Jun 26

Denial of service in linkify-it (npm) through v5.0.0 lets remote unauthenticated attackers wedge a rendering worker by s

CVE-2022-4044 MEDIUM POC
6.5 Nov 23

A denial-of-service vulnerability in Mattermost allows an authenticated user to crash the server via multiple large auto

CVE-2022-3257 MEDIUM POC
6.5 Sep 23

Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded w

CVE-2023-6458 CRITICAL
9.8 Dec 06

Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perf

CVE-2020-26276 CRITICAL
9.8 Dec 17

Fleet is an open source osquery manager. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2024-39777 CRITICAL
9.6 Aug 01

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invit

CVE-2020-26290 CRITICAL
9.6 Dec 28

Dex is a federated OpenID Connect provider written in Go. Rated critical severity (CVSS 9.6), this vulnerability is remo

CVE-2026-9354 MEDIUM POC
5.5 May 24

Improper output escaping in NousResearch Hermes Agent versions up to 2026.4.16 allows remote unauthenticated attackers t

CVE-2022-1002 MEDIUM POC
5.4 Mar 18

Mattermost 6.3.0 and earlier fails to properly sanitize the HTML content in the email invitation sent to guest users, wh

CVE-2023-2193 CRITICAL
9.1 Apr 20

Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker posse

CVE-2026-7387 HIGH
8.8 Jun 12

Privilege escalation in Mattermost server (11.6.x, 11.5.x, and 10.11.x branches) allows a low-privileged user holding gr

CVE-2026-3524 HIGH
8.8 Apr 06

Authorization bypass in Mattermost Plugin Legal Hold versions <=1.1.4 allows authenticated attackers to manipulate legal

Share

CVE-2026-28759 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy