CVE-2026-6342

MEDIUM

Mattermost Plugins - Incorrect Authorization via Namespace Prefix Bypass

Title source: llm
STIX 2.1

Description

Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to appropriately check for valid namespaces which allows plugin users to create subscriptions to groups that were not whitelisted via creating groups that share the same prefix as a whitelisted group. Mattermost Advisory ID: MMSA-2026-00601

References (1)

Core 1
Core References
Vendor Advisory vendor-advisory
MMSA-2026-00601
https://mattermost.com/security-updates

Scores

CVSS v3 4.3
EPSS 0.0003
EPSS Percentile 8.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-863
Status published
Products (7)
Mattermost/Mattermost < 10.13.11
Mattermost/Mattermost < 11.1.5
Mattermost/Mattermost < 11.3.4
Mattermost/Mattermost 10.11.14
Mattermost/Mattermost 11.4.4
Mattermost/Mattermost 11.5.2
Mattermost/Mattermost 11.6.0
Published May 18, 2026
Tracked Since May 18, 2026