CVE-2026-27769
Received Received - Intake
Improper Ownership Validation in Mattermost Connected Workspaces Allows Status Manipulation

Publication date: 2026-04-15

Last updated on: 2026-04-22

Assigner: Mattermost, Inc.

Description
Mattermost versions 10.11.x <= 10.11.12 fail to validate whether users were correctly owned by the correct Connected Workspace which allows a malicious remote server connected using the Conntexted Workspaces feature to change the displayed status of local users via the Connected Workspaces API.. Mattermost Advisory ID: MMSA-2026-00603
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-15
Last Modified
2026-04-22
Generated
2026-05-07
AI Q&A
2026-04-15
EPSS Evaluated
2026-05-05
NVD
CVE-2026-27769
EUVD
EUVD-2026-22873
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mattermost mattermost_server From 10.11.0 (inc) to 10.11.13 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

Mattermost versions 10.11.x up to 10.11.12 have a vulnerability where the software fails to properly verify if users belong to the correct Connected Workspace. This flaw allows a malicious remote server connected through the Connected Workspaces feature to manipulate the displayed status of local users by using the Connected Workspaces API.


How can this vulnerability impact me? :

An attacker controlling a remote server connected via the Connected Workspaces feature could change the status displayed for local users. This could lead to misinformation about user availability or activity, potentially disrupting communication or trust within the Mattermost environment.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart