CVE-2026-6046
Received Received - Intake
Username Spoofing in Mattermost Plugin Bot Registration

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: Mattermost, Inc.

Description
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to validate that a username returned during bot registration belongs to a bot account, which allows an unprivileged attacker to intercept private messages sent by plugins via direct message channels by pre-registering a user account with a predictable plugin bot username.. Mattermost Advisory ID: MMSA-2026-00649
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-6046
EUVD
EUVD-2026-36502
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
mattermost mattermost to 11.6.1 (inc)
mattermost mattermost to 11.5.4 (inc)
mattermost mattermost to 10.11.15 (inc)
mattermost mattermost to 10.11.16 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects certain versions of Mattermost (11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, and 10.11.x <= 10.11.16) where the system fails to verify that a username returned during bot registration actually belongs to a bot account.

Because of this failure in validation, an unprivileged attacker can pre-register a user account with a predictable plugin bot username and intercept private messages sent by plugins via direct message channels.

Impact Analysis

This vulnerability can allow an unprivileged attacker to intercept private messages that are intended to be sent between plugins and bot accounts.

As a result, sensitive or confidential information communicated via these direct message channels could be exposed to unauthorized parties.

Mitigation Strategies

To mitigate this vulnerability, you should update Mattermost to a version later than 11.6.1, 11.5.4, or 10.11.16, as these versions contain the fix for the issue where username validation during bot registration was insufficient.

Additionally, monitor the Mattermost Security Updates page for any further patches or advisories.

Compliance Impact

The vulnerability allows an unprivileged attacker to intercept private messages sent by plugins via direct message channels by pre-registering a user account with a predictable plugin bot username.

This interception of private messages could potentially lead to unauthorized access to sensitive information, which may impact compliance with data protection regulations such as GDPR and HIPAA that require the protection of personal and sensitive data.

However, the provided information does not explicitly state the direct effects on compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6046. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart