CVE-2026-6341
Analyzed Analyzed - Analysis Complete
Mattermost Plugin API Group Access Bypass

Publication date: 2026-05-18

Last updated on: 2026-05-29

Assigner: Mattermost, Inc.

Description
Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to have API-level checks on which groups the user can create issues or attach comments to which allows a user that is member of multiple groups to create issues to a locked group via direct API requests. Mattermost Advisory ID: MMSA-2026-00602
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-18
Last Modified
2026-05-29
Generated
2026-06-10
AI Q&A
2026-05-18
EPSS Evaluated
2026-06-08
NVD
CVE-2026-6341
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
mattermost mattermost_server From 10.13.0 (inc) to 10.13.11 (inc)
mattermost mattermost_server From 11.1.0 (inc) to 11.1.5 (inc)
mattermost mattermost_server From 11.3.0 (inc) to 11.3.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Mattermost Plugins versions up to 11.5, 11.1.5, 10.13.11, and 11.3.4.0. These versions fail to enforce API-level checks on which user groups are allowed to create issues or attach comments. As a result, a user who is a member of multiple groups can exploit this flaw by making direct API requests to create issues in a group that is supposed to be locked or restricted.

Impact Analysis

The vulnerability allows unauthorized users to create issues or attach comments in groups where they should not have permission. This can lead to unauthorized information being posted or manipulated within restricted groups, potentially causing confusion, misinformation, or disruption of group workflows.

Mitigation Strategies

To mitigate this vulnerability, you should update Mattermost Plugins to versions later than 11.5, 11.1.5, 10.13.11, or 11.3.4.0, as these versions fail to enforce API-level checks on group permissions.

Stay informed about security updates by subscribing to Mattermost's Security Bulletin and regularly checking their security updates page.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6341. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart