5.3
CVE-2026-6046
- EPSS 0.19%
- Veröffentlicht 12.06.2026 17:16:26
- Zuletzt bearbeitet 15.06.2026 20:56:44
- Quelle responsibledisclosure@mattermo
- CVE-Watchlists
- Unerledigt
Plugin bot username conflict allows user account to be used as bot identity in Mattermost Server
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to validate that a username returned during bot registration belongs to a bot account, which allows an unprivileged attacker to intercept private messages sent by plugins via direct message channels by pre-registering a user account with a predictable plugin bot username.. Mattermost Advisory ID: MMSA-2026-00649
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerMattermost
≫
Produkt
Mattermost
Default Statusunaffected
Version <=
11.6.1
Version
11.6.0
Status
affected
Version <=
11.5.4
Version
11.5.0
Status
affected
Version <=
10.11.15
Version
10.11.0
Status
affected
Version <=
10.11.16
Version
10.11.0
Status
affected
Version
11.7.0
Status
unaffected
Version
11.6.2
Status
unaffected
Version
11.5.5
Status
unaffected
Version
10.11.16
Status
unaffected
Version
10.11.17
Status
unaffected
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.19% | 0.087 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| responsibledisclosure@mattermost.com | 5.3 | 1.6 | 3.6 |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
|
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
https://mattermost.com/security-updates