4 matches found
EUVD-2026-38250
Mattermost versions 11.7.x = 11.7.0, 11.6.x = 11.6.2, 11.5.x = 11.5.5, 10.11.x = 10.11.17 Fail to validate channel ownership of an existing subscription before applying edits which allows an authenticated attacker to hijack subscriptions from channels they have no access to via a crafted PUT...
CVE-2026-9162 Global session revocation does not invalidate active WebSocket connections
Mattermost versions 11.7.x = 11.7.0, 11.6.x = 11.6.2, 11.5.x = 11.5.5, 10.11.x = 10.11.17 fail to invalidate cached authentication state for active WebSocket connections during global session revocation, which allows a user with an existing WebSocket connection to remain authenticated and continu...
PT-2026-41649
Name of the Vulnerable Software and Affected Versions Mattermost versions prior to 11.5.2 Mattermost versions prior to 10.11.14 Mattermost versions prior to 11.4.4 Description An issue exists where the system fails to enforce trigger-word uniqueness during the update of slash commands. This allow...
CVE-2026-4053 post edit time limit is not enforced on some post update operations
Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to enforce the PostEditTimeLimit on non-message post fields which allows an authenticated user to modify post file attachments, props, and pin status after the edit window has expired via the post patch and update API endpoints...