4.3

CVE-2026-28759

Insufficient authorization in shared channel membership sync allows remote cluster to remove users from arbitrary channels

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate that a remote cluster has access to a channel before processing membership removal requests during shared channel membership sync, which allows a malicious remote cluster to remove any user from any channel, including private channels, via crafted membership sync messages targeting channels the remote cluster is not authorized to access. Mattermost Advisory ID: MMSA-2026-00576
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
MattermostMattermost Server Version >= 10.11.0 < 10.11.14
MattermostMattermost Server Version >= 11.4.0 < 11.4.4
MattermostMattermost Server Version >= 11.5.0 < 11.5.2
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.15% 0.047
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
responsibledisclosure@mattermost.com 4.3 2.8 1.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.