CVE-2026-27656

MEDIUM

Account Takeover via Substring Matching in OpenID Connect Authentication

Title source: cna

Description

Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to properly validate user identity in the OpenID {{IsSameUser()}} comparison logic, which allows an attacker to take over arbitrary user accounts via an overly permissive substring matching flaw in the user discovery flow.. Mattermost Advisory ID: MMSA-2026-00590

References (1)

[Vendor Advisory] https://mattermost.com/security-updates

Scores

CVSS v3 5.7

EPSS 0.0003

EPSS Percentile 8.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N

Details

CWE

CWE-303

Status published

Products (12)

Mattermost/Mattermost 10.11.0 - 10.11.11

Mattermost/Mattermost 10.11.12

Mattermost/Mattermost 11.2.0 - 11.2.3

Mattermost/Mattermost 11.2.4

Mattermost/Mattermost 11.3.0 - 11.3.1

Mattermost/Mattermost 11.3.2

Mattermost/Mattermost 11.4.0

Mattermost/Mattermost 11.4.1

Mattermost/Mattermost 11.5.0

mattermost/mattermost 8.0.0-20260105080200-d27a2195068d - 8.0.0-20260217110922-b7d4a1f1f59bGo

... and 2 more

Published Mar 25, 2026

Tracked Since Mar 25, 2026