CVE-2026-28735

🗓️ 22 May 2026 16:26:04Reported by MattermostType

Mattermost fails to validate OAuth scope on callback, enabling access to private repositories via altered GitHub scope.

Reporter	Title	Published	Views	Family All 8
ATTACKERKB	CVE-2026-28735	22 May 202616:26	–	attackerkb
CNNVD	Mattermost 安全漏洞	22 May 202600:00	–	cnnvd
Cvelist	CVE-2026-28735 GitHub OAuth Scope Validation	22 May 202616:26	–	cvelist
EUVD	EUVD-2026-31465	22 May 202616:26	–	euvd
NVD	CVE-2026-28735	22 May 202617:16	–	nvd
Positive Technologies	PT-2026-42799	22 May 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-28735	5 Jun 202619:29	–	redhatcve
Vulnrichment	CVE-2026-28735 GitHub OAuth Scope Validation	22 May 202616:26	–	vulnrichment

NVD

Node

mattermost mattermost_serverRange10.11.0–10.11.15

mattermost mattermost_serverRange11.4.0–11.4.5

mattermost mattermost_serverRange11.5.0–11.5.4

mattermost mattermost_serverRange11.6.0–11.6.1

[
  {
    "defaultStatus": "unaffected",
    "product": "Mattermost",
    "vendor": "Mattermost",
    "versions": [
      {
        "lessThanOrEqual": "11.6.0",
        "status": "affected",
        "version": "11.6.0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "11.5.3",
        "status": "affected",
        "version": "11.5.0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "11.4.4",
        "status": "affected",
        "version": "11.4.0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "10.11.14",
        "status": "affected",
        "version": "10.11.0",
        "versionType": "semver"
      },
      {
        "version": "11.7.0",
        "status": "unaffected"
      },
      {
        "version": "11.6.1",
        "status": "unaffected"
      },
      {
        "version": "11.5.4",
        "status": "unaffected"
      },
      {
        "version": "11.4.5",
        "status": "unaffected"
      },
      {
        "version": "10.11.15",
        "status": "unaffected"
      }
    ]
  }
]

Source	Link
mattermost	www.mattermost.com/security-updates

22 May 2026 19:28Current

5.8Medium risk

Vulners AI Score5.8

CVSS 3.15.4

EPSS0.0003

SSVC

CWE-863