Skip to main content

Mattermost CVE-2026-9824

| EUVDEUVD-2026-43339 MEDIUM
Missing Authorization (CWE-862)
2026-07-13 Mattermost
4.3
CVSS 3.1 · Vendor: Mattermost
Share

Severity by source

Vendor (Mattermost) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
4.3 MEDIUM

Network-reachable via standard Mattermost client; requires authenticated session (PR:L); only remote cluster metadata disclosed, so C:L with no integrity or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Mattermost).

CVSS VectorVendor: Mattermost

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 13, 2026 - 11:30 vuln.today

DescriptionCVE.org

Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to check the manage_shared_channels permission in the /share-channel autocomplete handler, which allows an authenticated user without that permission to enumerate configured remote cluster connection metadata via slash command autocomplete.. Mattermost Advisory ID: MMSA-2026-00676

AnalysisAI

Missing authorization in Mattermost's /share-channel slash command autocomplete handler allows any authenticated user to enumerate remote cluster connection metadata, regardless of whether they hold the manage_shared_channels permission. Affects three active release lines (11.7.x, 11.6.x, 10.11.x) and is classified under CWE-862 (Missing Authorization). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with any valid Mattermost account
Delivery
Type /share-channel in message input
Exploit
Trigger autocomplete handler without permission check
Execution
Receive remote cluster connection metadata
Impact
Map federation topology for reconnaissance

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid, authenticated Mattermost user account (PR:L per CVSS vector) - unauthenticated access is not sufficient. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS base score of 4.3 (Medium) accurately reflects the constrained real-world impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Mattermost user with no special permissions opens any channel, types /share-channel into the message input box, and observes the autocomplete suggestions returned by the server. The autocomplete response includes remote cluster connection metadata - such as cluster display names, identifiers, or hostnames - that the user should not be permitted to see. …
Remediation Patch available per vendor advisory. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-48801 HIGH POC
8.7 Jun 26

Denial of service in linkify-it (npm) through v5.0.0 lets remote unauthenticated attackers wedge a rendering worker by s

CVE-2022-4044 MEDIUM POC
6.5 Nov 23

A denial-of-service vulnerability in Mattermost allows an authenticated user to crash the server via multiple large auto

CVE-2022-3257 MEDIUM POC
6.5 Sep 23

Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded w

CVE-2023-6458 CRITICAL
9.8 Dec 06

Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perf

CVE-2020-26276 CRITICAL
9.8 Dec 17

Fleet is an open source osquery manager. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2024-39777 CRITICAL
9.6 Aug 01

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invit

CVE-2020-26290 CRITICAL
9.6 Dec 28

Dex is a federated OpenID Connect provider written in Go. Rated critical severity (CVSS 9.6), this vulnerability is remo

CVE-2026-9354 MEDIUM POC
5.5 May 24

Improper output escaping in NousResearch Hermes Agent versions up to 2026.4.16 allows remote unauthenticated attackers t

CVE-2022-1002 MEDIUM POC
5.4 Mar 18

Mattermost 6.3.0 and earlier fails to properly sanitize the HTML content in the email invitation sent to guest users, wh

CVE-2023-2193 CRITICAL
9.1 Apr 20

Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker posse

CVE-2026-7387 HIGH
8.8 Jun 12

Privilege escalation in Mattermost server (11.6.x, 11.5.x, and 10.11.x branches) allows a low-privileged user holding gr

CVE-2026-3524 HIGH
8.8 Apr 06

Authorization bypass in Mattermost Plugin Legal Hold versions <=1.1.4 allows authenticated attackers to manipulate legal

Share

CVE-2026-9824 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy