CVE-2026-27656
Received
Received - Intake
OpenID Identity Validation Flaw in Mattermost Enables Account Takeover
Publication date: 2026-03-25
Last updated on: 2026-03-26
Assigner: Mattermost, Inc.
Description
Description
Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to properly validate user identity in the OpenID {{IsSameUser()}} comparison logic, which allows an attacker to take over arbitrary user accounts via an overly permissive substring matching flaw in the user discovery flow.. Mattermost Advisory ID: MMSA-2026-00590
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mattermost | mattermost_server | From 10.11.0 (inc) to 10.11.12 (exc) |
| mattermost | mattermost_server | From 11.2.0 (inc) to 11.2.4 (exc) |
| mattermost | mattermost_server | From 11.3.0 (inc) to 11.3.2 (exc) |
| mattermost | mattermost_server | From 11.4.0 (inc) to 11.4.1 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-303 | The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect. |
