EUVD-2026-38250
GHSA-mxq2-5jpg-7474
Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L
Subscription hijacking requires authenticated access (PR:L) and knowledge of a target subscription ID (AC:H); no clear availability impact beyond confidentiality and integrity of subscription data.
Primary rating from Vendor (Mattermost).
CVSS VectorVendor: Mattermost
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 Fail to validate channel ownership of an existing subscription before applying edits which allows an authenticated attacker to hijack subscriptions from channels they have no access to via a crafted PUT request to the subscription edit endpoint.. Mattermost Advisory ID: MMSA-2026-00650
AnalysisAI
Subscription hijacking in Mattermost allows authenticated low-privileged users to take control of subscriptions belonging to channels they have no access to by submitting a crafted PUT request to the subscription edit endpoint. The root cause is a missing channel ownership validation check, classified as an Insecure Direct Object Reference (CWE-639), affecting versions across four active release branches (10.11.x, 11.5.x, 11.6.x, 11.7.x). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold a valid authenticated session on the Mattermost instance (PR:L - at minimum a basic user account). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS 3.1 score of 6.4 (Medium) with vector AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L reflects a network-reachable flaw requiring only a low-privileged account but with elevated complexity, likely because the attacker must discover or enumerate subscription IDs for channels they cannot directly browse. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated Mattermost user with a standard low-privileged account submits a PUT request to the subscription edit endpoint using a subscription ID they do not legitimately own - obtained through prior enumeration or information leakage - belonging to a private channel they lack access to. By bypassing the missing ownership check, the attacker redirects or modifies the subscription, gaining access to notification data or channel activity streams from the restricted channel. … |
| Remediation | Upgrade to a fixed version per Mattermost advisory MMSA-2026-00650, available at https://mattermost.com/security-updates. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Missing authentication on the Atlassian Connect install callback in Mattermost allows a remote attacker to inject a rogu
The /gitlab connect slash command in Mattermost fails to enforce administrator-level authorization on the setDefaultInst
WebSocket session persistence in Mattermost allows authenticated users whose sessions have been globally revoked to bypa
{id}/active endpoint despite lacking the Integrations permission required to manage bots. The server fails to apply bot-
Incorrect authorization in Mattermost's demote-user API allows a lower-privileged administrator to degrade arbitrary bot
Share
External POC / Exploit Code
Leaving vuln.today