CVE-2026-6046
Analyzed Analyzed - Analysis Complete

Username Spoofing in Mattermost Plugin Bot Registration

Vulnerability report for CVE-2026-6046, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-12

Last updated on: 2026-06-18

Assigner: Mattermost, Inc.

Description

Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to validate that a username returned during bot registration belongs to a bot account, which allows an unprivileged attacker to intercept private messages sent by plugins via direct message channels by pre-registering a user account with a predictable plugin bot username.. Mattermost Advisory ID: MMSA-2026-00649

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-12
Last Modified
2026-06-18
Generated
2026-07-03
AI Q&A
2026-06-12
EPSS Evaluated
2026-07-01
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
mattermost mattermost_server From 10.11.0 (inc) to 10.11.17 (exc)
mattermost mattermost_server From 11.5.0 (inc) to 11.5.5 (exc)
mattermost mattermost_server From 11.6.0 (inc) to 11.6.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects certain versions of Mattermost (11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, and 10.11.x <= 10.11.16) where the system fails to verify that a username returned during bot registration actually belongs to a bot account.

Because of this failure in validation, an unprivileged attacker can pre-register a user account with a predictable plugin bot username and intercept private messages sent by plugins via direct message channels.

Impact Analysis

This vulnerability can allow an unprivileged attacker to intercept private messages that are intended to be sent between plugins and bot accounts.

As a result, sensitive or confidential information communicated via these direct message channels could be exposed to unauthorized parties.

Mitigation Strategies

To mitigate this vulnerability, you should update Mattermost to a version later than 11.6.1, 11.5.4, or 10.11.16, as these versions contain the fix for the issue where username validation during bot registration was insufficient.

Additionally, monitor the Mattermost Security Updates page for any further patches or advisories.

Compliance Impact

The vulnerability allows an unprivileged attacker to intercept private messages sent by plugins via direct message channels by pre-registering a user account with a predictable plugin bot username.

This interception of private messages could potentially lead to unauthorized access to sensitive information, which may impact compliance with data protection regulations such as GDPR and HIPAA that require the protection of personal and sensitive data.

However, the provided information does not explicitly state the direct effects on compliance with these standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6046. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart