CVE-2026-28735
Analyzed
Analyzed - Analysis Complete
BaseFortify
Publication date: 2026-05-22
Last updated on: 2026-05-22
Assigner: Mattermost, Inc.
Description
Description
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate the OAuth token scope on the callback which allows an authenticated Mattermost user to gain access to private repositories via modifying the scope parameter in the GitHub authorization URL.. Mattermost Advisory ID: MMSA-2026-00628
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mattermost | mattermost_server | From 10.11.0 (inc) to 10.11.15 (exc) |
| mattermost | mattermost_server | From 11.4.0 (inc) to 11.4.5 (exc) |
| mattermost | mattermost_server | From 11.5.0 (inc) to 11.5.4 (exc) |
| mattermost | mattermost_server | From 11.6.0 (inc) to 11.6.1 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70