CVE-2026-6342
Analyzed Analyzed - Analysis Complete
Subscription Bypass in Mattermost Plugins

Publication date: 2026-05-18

Last updated on: 2026-05-29

Assigner: Mattermost, Inc.

Description
Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to appropriately check for valid namespaces which allows plugin users to create subscriptions to groups that were not whitelisted via creating groups that share the same prefix as a whitelisted group. Mattermost Advisory ID: MMSA-2026-00601
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-18
Last Modified
2026-05-29
Generated
2026-06-10
AI Q&A
2026-05-18
EPSS Evaluated
2026-06-08
NVD
CVE-2026-6342
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
mattermost mattermost_server From 10.13.0 (inc) to 10.13.11 (inc)
mattermost mattermost_server From 11.1.0 (inc) to 11.1.5 (inc)
mattermost mattermost_server From 11.3.0 (inc) to 11.3.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Mattermost Plugins versions up to 11.5, including versions 11.1.5, 10.13.11, and 11.3.4.0. The issue is that these versions fail to properly verify valid namespaces when creating group subscriptions. Specifically, plugin users can create subscriptions to groups that were not whitelisted by exploiting the ability to create groups with the same prefix as a whitelisted group.

Impact Analysis

The vulnerability allows plugin users to bypass namespace restrictions and subscribe to unauthorized groups by creating groups with prefixes matching whitelisted groups. This can lead to unauthorized access or interaction with groups that should be restricted, potentially compromising the intended access controls within the Mattermost environment.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Mattermost Plugins to versions later than 11.5, 11.1.5, 10.13.11, or 11.3.4.0, as these versions fail to properly check for valid namespaces allowing unauthorized group subscriptions.

Stay informed about security updates and patches by regularly checking Mattermost's official security updates page and subscribing to their Security Bulletin.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6342. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart