CVE-2026-6341
Mattermost Plugin API Group Access Bypass
Publication date: 2026-05-18
Last updated on: 2026-05-18
Assigner: Mattermost, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mattermost | plugins | to 11.5 (inc) |
| mattermost | plugins | 11.1.5 |
| mattermost | plugins | 10.13.11 |
| mattermost | plugins | 11.3.4.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Mattermost Plugins versions up to 11.5, 11.1.5, 10.13.11, and 11.3.4.0. These versions fail to enforce API-level checks on which user groups are allowed to create issues or attach comments. As a result, a user who is a member of multiple groups can exploit this flaw by making direct API requests to create issues in a group that is supposed to be locked or restricted.
How can this vulnerability impact me? :
The vulnerability allows unauthorized users to create issues or attach comments in groups where they should not have permission. This can lead to unauthorized information being posted or manipulated within restricted groups, potentially causing confusion, misinformation, or disruption of group workflows.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update Mattermost Plugins to versions later than 11.5, 11.1.5, 10.13.11, or 11.3.4.0, as these versions fail to enforce API-level checks on group permissions.
Stay informed about security updates by subscribing to Mattermost's Security Bulletin and regularly checking their security updates page.