CVE-2026-27656
OpenID Identity Validation Flaw in Mattermost Enables Account Takeover
Publication date: 2026-03-25
Last updated on: 2026-03-26
Assigner: Mattermost, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mattermost | mattermost_server | From 10.11.0 (inc) to 10.11.12 (exc) |
| mattermost | mattermost_server | From 11.2.0 (inc) to 11.2.4 (exc) |
| mattermost | mattermost_server | From 11.3.0 (inc) to 11.3.2 (exc) |
| mattermost | mattermost_server | From 11.4.0 (inc) to 11.4.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-303 | The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in certain versions of Mattermost where the system fails to properly validate user identity during the OpenID IsSameUser() comparison process.
Due to an overly permissive substring matching flaw in the user discovery flow, an attacker can exploit this weakness to take over arbitrary user accounts.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can take control of arbitrary user accounts within the affected Mattermost versions.
This can lead to unauthorized access to sensitive information, impersonation of legitimate users, and potential disruption of communication or operations within the affected system.