CVE-2026-6341

MEDIUM

Mattermost Plugins - Incorrect Authorization via Direct API Requests

Title source: llm

Description

Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to have API-level checks on which groups the user can create issues or attach comments to which allows a user that is member of multiple groups to create issues to a locked group via direct API requests. Mattermost Advisory ID: MMSA-2026-00602

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory

MMSA-2026-00602

https://mattermost.com/security-updates

Scores

CVSS v3 4.3

EPSS 0.0003

EPSS Percentile 8.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-863

Status published

Products (7)

Mattermost/Mattermost < 10.13.11

Mattermost/Mattermost < 11.1.5

Mattermost/Mattermost < 11.3.4

Mattermost/Mattermost 10.11.14

Mattermost/Mattermost 11.4.4

Mattermost/Mattermost 11.5.2

Mattermost/Mattermost 11.6.0

Published May 18, 2026

Tracked Since May 18, 2026