CVE-2026-6333
Analyzed Analyzed - Analysis Complete
Mattermost Host Header Spoofing in Slash Commands

Publication date: 2026-05-18

Last updated on: 2026-05-19

Assigner: Mattermost, Inc.

Description
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate the Host header when constructing response URLs for custom slash commands which allows an authenticated attacker to redirect slash command responses to an attacker-controlled server via a spoofed Host header.. Mattermost Advisory ID: MMSA-2026-00582
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-18
Last Modified
2026-05-19
Generated
2026-06-10
AI Q&A
2026-05-18
EPSS Evaluated
2026-06-08
NVD
CVE-2026-6333
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
mattermost mattermost_server From 10.11.0 (inc) to 10.11.14 (exc)
mattermost mattermost_server From 11.5.0 (inc) to 11.5.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Mattermost versions 11.5.x up to 11.5.1 and 10.11.x up to 10.11.13. It occurs because the software fails to validate the Host header when constructing response URLs for custom slash commands.

An authenticated attacker can exploit this by sending a spoofed Host header, which causes the slash command responses to be redirected to a server controlled by the attacker.

Impact Analysis

The impact of this vulnerability is that an attacker with valid authentication can redirect responses from slash commands to an attacker-controlled server.

This could potentially lead to information leakage or manipulation of the responses intended for legitimate users, although the CVSS score indicates a low to medium severity with limited impact on confidentiality and availability but some impact on integrity.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Mattermost to a version later than 11.5.1 or 10.11.13 where the Host header validation issue has been fixed.

Additionally, monitor the official Mattermost Security Updates page for any patches or further guidance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6333. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart