CVE-2026-6046 Plugin bot username conflict allows user account to be used as bot identity in Mattermost Server

🗓️ 12 Jun 2026 15:52:33Reported by MattermostType

CVE-2026-6046: Bot username impersonation enables intercepting private messages in Mattermost via pre-registered bot username.

Reporter	Title	Published	Views	Family All 5
CVE	CVE-2026-6046	12 Jun 202615:52	–	cve
EUVD	EUVD-2026-36502	12 Jun 202615:52	–	euvd
NVD	CVE-2026-6046	12 Jun 202617:16	–	nvd
Positive Technologies	PT-2026-48936	12 Jun 202600:00	–	ptsecurity
Vulnrichment	CVE-2026-6046 Plugin bot username conflict allows user account to be used as bot identity in Mattermost Server	12 Jun 202615:52	–	vulnrichment

[
  {
    "defaultStatus": "unaffected",
    "product": "Mattermost",
    "vendor": "Mattermost",
    "versions": [
      {
        "lessThanOrEqual": "11.6.1",
        "status": "affected",
        "version": "11.6.0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "11.5.4",
        "status": "affected",
        "version": "11.5.0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "10.11.15",
        "status": "affected",
        "version": "10.11.0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "10.11.16",
        "status": "affected",
        "version": "10.11.0",
        "versionType": "semver"
      },
      {
        "version": "11.7.0",
        "status": "unaffected"
      },
      {
        "version": "11.6.2",
        "status": "unaffected"
      },
      {
        "version": "11.5.5",
        "status": "unaffected"
      },
      {
        "version": "10.11.16",
        "status": "unaffected"
      },
      {
        "version": "10.11.17",
        "status": "unaffected"
      }
    ]
  }
]

Source	Link
mattermost	www.mattermost.com/security-updates

12 Jun 2026 15:52Current

CVSS 3.15.3

CWE-200