CVE-2026-6333
Mattermost Host Header Spoofing in Slash Commands
Publication date: 2026-05-18
Last updated on: 2026-05-19
Assigner: Mattermost, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mattermost | mattermost_server | From 10.11.0 (inc) to 10.11.14 (exc) |
| mattermost | mattermost_server | From 11.5.0 (inc) to 11.5.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Mattermost versions 11.5.x up to 11.5.1 and 10.11.x up to 10.11.13. It occurs because the software fails to validate the Host header when constructing response URLs for custom slash commands.
An authenticated attacker can exploit this by sending a spoofed Host header, which causes the slash command responses to be redirected to a server controlled by the attacker.
How can this vulnerability impact me? :
The impact of this vulnerability is that an attacker with valid authentication can redirect responses from slash commands to an attacker-controlled server.
This could potentially lead to information leakage or manipulation of the responses intended for legitimate users, although the CVSS score indicates a low to medium severity with limited impact on confidentiality and availability but some impact on integrity.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Mattermost to a version later than 11.5.1 or 10.11.13 where the Host header validation issue has been fixed.
Additionally, monitor the official Mattermost Security Updates page for any patches or further guidance.