CVE-2026-27769

LOW

Connected Workspaces: Malicious remote server can manipulate arbitrary user's status

Title source: cna

Description

Mattermost versions 10.11.x <= 10.11.12 fail to validate whether users were correctly owned by the correct Connected Workspace which allows a malicious remote server connected using the Conntexted Workspaces feature to change the displayed status of local users via the Connected Workspaces API.. Mattermost Advisory ID: MMSA-2026-00603

References (1)

[Vendor Advisory] https://mattermost.com/security-updates

Scores

CVSS v3 2.7

EPSS 0.0003

EPSS Percentile 9.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-862

Status published

Products (4)

Mattermost/Mattermost 10.11.0 - 10.11.12

Mattermost/Mattermost 10.11.13

Mattermost/Mattermost 11.5.0

mattermost/mattermost_server 10.11.0 - 10.11.13

Published Apr 15, 2026

Tracked Since Apr 15, 2026