Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate that a remote cluster has access to a channel before processing membership removal requests during shared channel membership sync, which allows a malicious remote cluster to remove any user from any channel, including private channels, via crafted membership sync messages targeting channels the remote cluster is not authorized to access. Mattermost Advisory ID: MMSA-2026-00576
AnalysisAI
Authorization bypass in Mattermost shared channel synchronization allows authenticated remote cluster administrators to remove arbitrary users from any channel, including private channels outside the attacker's authorization scope. Affects versions 11.5.x through 11.5.1, 10.11.x through 10.11.13, and 11.4.x through 11.4.3. CVSS 4.3 reflects the low-privilege requirement (authenticated remote cluster) and limited impact scope (integrity only, no data exposure), though cross-tenant authorization violations in collaboration platforms warrant attention. EPSS data unavailable; no public exploit identified at time of analysis; not listed in CISA KEV.
Technical ContextAI
This vulnerability stems from incorrect authorization (CWE-863) in Mattermost's shared channel synchronization protocol. Shared channels enable federated collaboration between separate Mattermost server clusters, with membership sync messages propagating user additions/removals across cluster boundaries. The affected code path fails to verify that a remote cluster has legitimate access to a target channel before processing membership removal requests. According to the CPE data (cpe:2.3:a:mattermost:mattermost), this affects the core Mattermost server application across three maintenance branches. The CVSS vector (AV:N/AC:L/PR:L) indicates network-accessible exploitation with low attack complexity once an attacker controls an authenticated remote cluster connection. The authorization gap allows privilege escalation beyond intended federation boundaries, violating the principle that cluster-to-cluster trust should not grant unrestricted access to all channels.
RemediationAI
Upgrade to Mattermost version 11.5.2, 10.11.14, or 11.4.4 (specific patch versions inferred from vulnerable version ranges but not independently confirmed-verify exact fix versions at https://mattermost.com/security-updates before deployment). Organizations unable to immediately patch should implement the following compensating controls: disable shared channel functionality entirely via System Console > Experimental > Features > Enable Shared Channels (set to false), which eliminates remote cluster attack surface but breaks federated collaboration workflows; alternatively, audit and restrict remote cluster connections to only trusted partner organizations via System Console > Shared Channels, removing any untrusted or compromised remote clusters from the allowlist. Monitor channel membership changes via audit logs for unexpected removals, particularly in private channels, as indicators of exploitation attempts. Note that disabling shared channels prevents legitimate cross-cluster collaboration and may disrupt business workflows dependent on federation-coordinate with stakeholders before implementing. No workaround exists to selectively protect individual channels while maintaining shared channel functionality, as the vulnerability exists in the core authorization check of the sync protocol.
More in Mattermost
View allDenial of service in linkify-it (npm) through v5.0.0 lets remote unauthenticated attackers wedge a rendering worker by s
A denial-of-service vulnerability in Mattermost allows an authenticated user to crash the server via multiple large auto
Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded w
Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perf
Fleet is an open source osquery manager. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invit
Dex is a federated OpenID Connect provider written in Go. Rated critical severity (CVSS 9.6), this vulnerability is remo
Improper output escaping in NousResearch Hermes Agent versions up to 2026.4.16 allows remote unauthenticated attackers t
Mattermost 6.3.0 and earlier fails to properly sanitize the HTML content in the email invitation sent to guest users, wh
Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker posse
Privilege escalation in Mattermost server (11.6.x, 11.5.x, and 10.11.x branches) allows a low-privileged user holding gr
Authorization bypass in Mattermost Plugin Legal Hold versions <=1.1.4 allows authenticated attackers to manipulate legal
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30738
GHSA-8h9w-w78c-vvr3