Skip to main content

Mattermost CVE-2026-6333

| EUVDEUVD-2026-30755 LOW
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-18 Mattermost GHSA-vqp5-2mrp-qqxg
3.5
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.5 LOW
AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 18, 2026 - 09:31 vuln.today

DescriptionCVE.org

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate the Host header when constructing response URLs for custom slash commands which allows an authenticated attacker to redirect slash command responses to an attacker-controlled server via a spoofed Host header.. Mattermost Advisory ID: MMSA-2026-00582

AnalysisAI

Server-Side Request Forgery in Mattermost 10.11.x through 11.5.1 allows authenticated attackers with slash command access to redirect custom slash command responses to attacker-controlled servers by manipulating the Host header. The vulnerability requires low-privileged authentication and high attack complexity (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N), resulting in a CVSS score of 3.5. No public exploit code or active exploitation via CISA KEV has been identified at time of analysis. Vendor advisory available at mattermost.com/security-updates provides remediation guidance.

Technical ContextAI

This vulnerability stems from improper Host header validation (CWE-918: Server-Side Request Forgery) in Mattermost's custom slash command response mechanism. Slash commands are webhook-based integrations allowing users to trigger external actions from chat interface. When constructing response URLs for slash command callbacks, Mattermost versions 10.11.x through 10.11.13 and 11.5.x through 11.5.1 fail to properly validate or sanitize the HTTP Host header received from client requests. Attackers can inject a malicious Host header value, causing the server to construct response URLs pointing to attacker-controlled domains. The CPE string cpe:2.3:a:mattermost:mattermost indicates the core Mattermost server application is affected across both the 10.11.x and 11.5.x release branches. The scope change (S:C) in CVSS indicates impact extends beyond the vulnerable component itself, as responses may be redirected outside the intended trust boundary.

RemediationAI

Upgrade to patched Mattermost versions released after 11.5.1 and 10.11.13 per vendor security advisory MMSA-2026-00582 at https://mattermost.com/security-updates. Exact fixed version numbers not provided in available data - consult vendor advisory for current patch releases in the 10.11.x and 11.5.x branches. If immediate patching is infeasible, implement compensating controls: configure reverse proxy or WAF to enforce strict Host header allowlisting matching only legitimate Mattermost server hostnames (trade-off: may break legitimate multi-domain deployments without careful configuration); disable custom slash commands entirely if business processes permit (trade-off: eliminates webhook-based automation workflows); implement network egress filtering to block slash command response callbacks to external IP ranges (trade-off: breaks legitimate external integrations, requires ongoing allowlist maintenance). Monitor logs for anomalous Host header values in slash command requests as detection measure.

CVE-2026-48801 HIGH POC
8.7 Jun 26

Denial of service in linkify-it (npm) through v5.0.0 lets remote unauthenticated attackers wedge a rendering worker by s

CVE-2022-4044 MEDIUM POC
6.5 Nov 23

A denial-of-service vulnerability in Mattermost allows an authenticated user to crash the server via multiple large auto

CVE-2022-3257 MEDIUM POC
6.5 Sep 23

Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded w

CVE-2023-6458 CRITICAL
9.8 Dec 06

Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perf

CVE-2020-26276 CRITICAL
9.8 Dec 17

Fleet is an open source osquery manager. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2024-39777 CRITICAL
9.6 Aug 01

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invit

CVE-2020-26290 CRITICAL
9.6 Dec 28

Dex is a federated OpenID Connect provider written in Go. Rated critical severity (CVSS 9.6), this vulnerability is remo

CVE-2026-9354 MEDIUM POC
5.5 May 24

Improper output escaping in NousResearch Hermes Agent versions up to 2026.4.16 allows remote unauthenticated attackers t

CVE-2022-1002 MEDIUM POC
5.4 Mar 18

Mattermost 6.3.0 and earlier fails to properly sanitize the HTML content in the email invitation sent to guest users, wh

CVE-2023-2193 CRITICAL
9.1 Apr 20

Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker posse

CVE-2026-7387 HIGH
8.8 Jun 12

Privilege escalation in Mattermost server (11.6.x, 11.5.x, and 10.11.x branches) allows a low-privileged user holding gr

CVE-2026-3524 HIGH
8.8 Apr 06

Authorization bypass in Mattermost Plugin Legal Hold versions <=1.1.4 allows authenticated attackers to manipulate legal

Share

CVE-2026-6333 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy