Description
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate the OAuth token scope on the callback which allows an authenticated Mattermost user to gain access to private repositories via modifying the scope parameter in the GitHub authorization URL.. Mattermost Advisory ID: MMSA-2026-00628
References (1)
Core 1
Core References
Scores
CVSS v3
5.4
EPSS
0.0003
EPSS Percentile
7.4%
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-863
Status
published
Products (9)
Mattermost/Mattermost
10.11.0 - 10.11.14
Mattermost/Mattermost
10.11.15
Mattermost/Mattermost
11.4.0 - 11.4.4
Mattermost/Mattermost
11.4.5
Mattermost/Mattermost
11.5.0 - 11.5.3
Mattermost/Mattermost
11.5.4
Mattermost/Mattermost
11.6.0
Mattermost/Mattermost
11.6.1
Mattermost/Mattermost
11.7.0
Published
May 22, 2026
Tracked Since
May 22, 2026