CVE-2026-28759

MEDIUM

Mattermost Shared Channel Sync - Unauthorized Member Removal

Title source: manual
STIX 2.1

Description

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate that a remote cluster has access to a channel before processing membership removal requests during shared channel membership sync, which allows a malicious remote cluster to remove any user from any channel, including private channels, via crafted membership sync messages targeting channels the remote cluster is not authorized to access. Mattermost Advisory ID: MMSA-2026-00576

References (1)

Core 1
Core References
Vendor Advisory vendor-advisory
MMSA-2026-00576
https://mattermost.com/security-updates

Scores

CVSS v3 4.3
EPSS 0.0015
EPSS Percentile 4.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-863
Status published
Products (13)
mattermost/mattermost 0 - 8.0.0-20260216150504-8738f8c4b3d4Go
Mattermost/Mattermost 10.11.0 - 10.11.13
mattermost/mattermost 10.11.0 - 10.11.14Go
Mattermost/Mattermost 10.11.14
Mattermost/Mattermost 11.4.0 - 11.4.3
mattermost/mattermost 11.4.0 - 11.4.4Go
Mattermost/Mattermost 11.4.4
Mattermost/Mattermost 11.5.0 - 11.5.1
mattermost/mattermost 11.5.0 - 11.5.2Go
Mattermost/Mattermost 11.5.2
... and 3 more
Published May 18, 2026
Tracked Since May 18, 2026