Skip to main content

Mattermost Plugins EUVDEUVD-2026-30746

| CVE-2026-6341 MEDIUM
Incorrect Authorization (CWE-863)
2026-05-18 Mattermost GHSA-668g-wr24-468v
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 18, 2026 - 08:17 vuln.today

DescriptionCVE.org

Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to have API-level checks on which groups the user can create issues or attach comments to which allows a user that is member of multiple groups to create issues to a locked group via direct API requests. Mattermost Advisory ID: MMSA-2026-00602

AnalysisAI

Mattermost Plugins through version 11.5 allow authenticated users to bypass group-level access controls and create issues or attach comments to locked groups they should not access. Attackers holding membership in multiple groups can exploit missing API-level authorization checks via direct API requests to write data into restricted groups, violating intended access boundaries. EPSS risk data not available; CVSS 4.3 reflects low-privilege authenticated network attack with low complexity. No active exploitation confirmed by CISA KEV at time of analysis, though vendor advisory (MMSA-2026-00602) confirms the vulnerability.

Technical ContextAI

This vulnerability affects the Mattermost Plugins component across versions 11.5, 11.1.5, 10.13.11, and 11.3.4.0. The root cause is CWE-863 (Incorrect Authorization), where the API layer fails to enforce group-based access control decisions. While the UI may properly restrict access to locked groups, the underlying API endpoints do not validate whether the authenticated user should have write permissions to specific groups. This creates a confused deputy scenario where multi-group membership enables privilege escalation-users can reference group identifiers in API calls to bypass intended restrictions. The CPE identifier cpe:2.3:a:mattermost:mattermost confirms the Mattermost server/plugins ecosystem as the affected product.

RemediationAI

Upgrade Mattermost to the patched version specified in vendor advisory MMSA-2026-00602 available at https://mattermost.com/security-updates. Exact fix version numbers are not provided in available CVE data, so consult the advisory directly for upgrade targets corresponding to each affected branch (11.x, 10.x series). If immediate patching is not feasible, implement compensating controls: (1) Audit API access logs for unexpected cross-group issue creation or comment activity by reviewing user group memberships against issue creation timestamps; (2) Restrict API access to trusted networks via firewall rules or reverse proxy ACLs, though this does not prevent exploitation by authenticated internal users; (3) Review and minimize multi-group memberships to reduce the attack surface, understanding this may disrupt legitimate workflows requiring cross-team collaboration. Note that disabling plugins entirely may impact core Mattermost functionality depending on deployment configuration. No workaround fully mitigates the vulnerability-patching remains the primary remediation path.

CVE-2026-48801 HIGH POC
8.7 Jun 26

Denial of service in linkify-it (npm) through v5.0.0 lets remote unauthenticated attackers wedge a rendering worker by s

CVE-2022-4044 MEDIUM POC
6.5 Nov 23

A denial-of-service vulnerability in Mattermost allows an authenticated user to crash the server via multiple large auto

CVE-2022-3257 MEDIUM POC
6.5 Sep 23

Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded w

CVE-2023-6458 CRITICAL
9.8 Dec 06

Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perf

CVE-2020-26276 CRITICAL
9.8 Dec 17

Fleet is an open source osquery manager. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2024-39777 CRITICAL
9.6 Aug 01

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invit

CVE-2020-26290 CRITICAL
9.6 Dec 28

Dex is a federated OpenID Connect provider written in Go. Rated critical severity (CVSS 9.6), this vulnerability is remo

CVE-2026-9354 MEDIUM POC
5.5 May 24

Improper output escaping in NousResearch Hermes Agent versions up to 2026.4.16 allows remote unauthenticated attackers t

CVE-2022-1002 MEDIUM POC
5.4 Mar 18

Mattermost 6.3.0 and earlier fails to properly sanitize the HTML content in the email invitation sent to guest users, wh

CVE-2023-2193 CRITICAL
9.1 Apr 20

Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker posse

CVE-2026-7387 HIGH
8.8 Jun 12

Privilege escalation in Mattermost server (11.6.x, 11.5.x, and 10.11.x branches) allows a low-privileged user holding gr

CVE-2026-3524 HIGH
8.8 Apr 06

Authorization bypass in Mattermost Plugin Legal Hold versions <=1.1.4 allows authenticated attackers to manipulate legal

Share

EUVD-2026-30746 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy