Lucene search
K

103 matches found

CVE
CVE
added 2 days ago12 views

CVE-2026-9824

Mattermost v11.7.x ≤ 11.7.2, v11.6.x ≤ 11.6.4, and v10.11.x ≤ 10.11.19 are affected by CVE-2026-9824 due to a missing check of the manage_shared_channels permission in the /share-channel autocomplete handler. This allows an authenticated user without that permission to enumerate remote cluster co...

4.3CVSS6.1AI score0.00162EPSS
Exploits0References1Affected Software1
NVD
NVD
added 2 days ago8 views

CVE-2026-10103

Mattermost versions 11.7.x = 11.7.2, 11.6.x = 11.6.4, 10.11.x = 10.11.19 fail to verify post ownership in the shared channel inbound sync handler, which allows an authenticated remote cluster to modify or delete posts authored by local users or other remotes via crafted sync messages referencing...

4.3CVSS0.00145EPSS
Exploits0References1
Cvelist
Cvelist
added 2 days ago35 views

CVE-2026-10103 Authenticated remote cluster can modify or delete posts it does not own in Mattermost Connected Workspaces shared channels

Mattermost versions 11.7.x = 11.7.2, 11.6.x = 11.6.4, 10.11.x = 10.11.19 fail to verify post ownership in the shared channel inbound sync handler, which allows an authenticated remote cluster to modify or delete posts authored by local users or other remotes via crafted sync messages referencing...

4.3CVSS0.00145EPSS
Exploits0References1
CVE
CVE
added 2 days ago9 views

CVE-2026-10103

Mattermost versions affected: 11.7.x (up to 11.7.2), 11.6.x (up to 11.6.4), and 10.11.x (up to 10.11.19) have a flaw in the shared channel inbound sync handler that fails to verify post ownership. This allows an authenticated remote cluster to modify or delete posts authored by local users or oth...

4.3CVSS6.2AI score0.00145EPSS
Exploits0References1Affected Software1
OSV
OSV
added 2026/06/19 6:31 a.m.5 views

GHSA-XG3J-C7Q4-F9PH Canonical MicroCeph: path traversal issue in the remote-import AP

Canonical MicroCeph versions from the squid and tentacle track are vulnerable to a path traversal issue in the remote-import API. Holders of a trusted cluster mTLS certificate such as enrolled cluster members or join token can manipulate files in an imported remote cluster within the...

5CVSS5.9AI score0.00208EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/06/19 4:57 a.m.7 views

CVE-2026-10720

Canonical MicroCeph versions from the squid and tentacle track are vulnerable to a path traversal issue in the remote-import API. Holders of a trusted cluster mTLS certificate such as enrolled cluster members or join token can manipulate files in an imported remote cluster within the...

5CVSS5.9AI score0.00208EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/19 12:0 a.m.24 views

PT-2026-50835

Name of the Vulnerable Software and Affected Versions Canonical MicroCeph versions from the squid and tentacle track Description A path traversal issue exists in the remote-import API. Users possessing a join token or a trusted cluster mTLS certificate, such as enrolled cluster members, can...

5CVSS5.9AI score0.00208EPSS
Exploits0References13
NVD
NVD
added 2026/06/12 5:16 p.m.13 views

CVE-2026-7184

Mattermost versions 11.6.x = 11.6.1, 11.5.x = 11.5.4, 10.11.x = 10.11.15 fail to sanitize the Remote Cluster API response on PATCH operations, which allows authenticated users with the managesecureconnections permission to obtain remote cluster authentication tokens via a PATCH request to the...

6.5CVSS0.00255EPSS
Exploits0References1
OSV
OSV
added 2026/06/12 3:49 p.m.4 views

CVE-2026-7184 Mattermost Remote Cluster PATCH API Leaks Authentication Tokens

Mattermost versions 11.6.x = 11.6.1, 11.5.x = 11.5.4, 10.11.x = 10.11.15 fail to sanitize the Remote Cluster API response on PATCH operations, which allows authenticated users with the managesecureconnections permission to obtain remote cluster authentication tokens via a PATCH request to the...

6.5CVSS6AI score0.00255EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/12 3:49 p.m.35 views

CVE-2026-7184 Mattermost Remote Cluster PATCH API Leaks Authentication Tokens

Mattermost versions 11.6.x = 11.6.1, 11.5.x = 11.5.4, 10.11.x = 10.11.15 fail to sanitize the Remote Cluster API response on PATCH operations, which allows authenticated users with the managesecureconnections permission to obtain remote cluster authentication tokens via a PATCH request to the...

6.5CVSS0.00255EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/12 3:49 p.m.13 views

CVE-2026-7184 Mattermost Remote Cluster PATCH API Leaks Authentication Tokens

Mattermost versions 11.6.x = 11.6.1, 11.5.x = 11.5.4, 10.11.x = 10.11.15 fail to sanitize the Remote Cluster API response on PATCH operations, which allows authenticated users with the managesecureconnections permission to obtain remote cluster authentication tokens via a PATCH request to the...

6.5CVSS5.4AI score0.00255EPSS
Exploits0References1
CVE
CVE
added 2026/06/12 3:49 p.m.16 views

CVE-2026-7184

Mattermost CVE-2026-7184 affects Mattermost versions 11.6.x up to 11.6.1, 11.5.x up to 11.5.4, and 10.11.x up to 10.11.15. The issue is a failure to sanitize the Remote Cluster API response on PATCH operations, allowing authenticated users with the {{manage_secure_connections}} permission to obta...

6.5CVSS5.4AI score0.00255EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added 2026/06/12 3:49 p.m.10 views

EUVD-2026-36500

Mattermost versions 11.6.x = 11.6.1, 11.5.x = 11.5.4, 10.11.x = 10.11.15 fail to sanitize the Remote Cluster API response on PATCH operations, which allows authenticated users with the managesecureconnections permission to obtain remote cluster authentication tokens via a PATCH request to the...

6.5CVSS5.4AI score0.00255EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.16 views

PT-2026-48940

Mattermost versions 11.6.x = 11.6.1, 11.5.x = 11.5.4, 10.11.x = 10.11.15 fail to sanitize the Remote Cluster API response on PATCH operations, which allows authenticated users with the manage secure connections permission to obtain remote cluster authentication tokens via a PATCH request to the...

6.5CVSS5.3AI score0.00255EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/05 7:45 p.m.9 views

CVE-2026-4273

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation which allows an authenticated attacker to bypass token rotation and reuse the original invite token via sending a craft...

4.3CVSS5.5AI score0.00142EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:29 p.m.10 views

CVE-2026-28759

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 fail to validate that a remote cluster has access to a channel before processing membership removal requests during shared channel membership sync, which allows a malicious remote cluster to remove any user from any channel,...

4.3CVSS5.5AI score0.00152EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2026/05/22 12:0 a.m.51 views

Mattermost Server 10.11.x <= 10.11.13 / 11.5.x <= 11.5.1 Multiple Vulnerabilities (MMSA-2026-00570 / MMSA-2026-00575 / MMSA-2026-00582 / MMSA-2026-00622)

The version of Mattermost Server installed on the remote host is affected by multiple vulnerabilities: - Mattermost fails to validate the Host header when constructing response URLs for custom slash commands which allows an authenticated attacker to redirect slash command responses to an...

5CVSS6AI score0.00143EPSS
Exploits0References5
Snyk
Snyk
added 2026/05/18 9:45 a.m.7 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via the membership sync process. An attacker can remove users from any channel, including private channels, by sending crafted membership sync messages from a remote cluster that is not authorized to access the...

5.3CVSS5.8AI score0.00152EPSS
Exploits0References2
OSV
OSV
added 2026/05/18 9:31 a.m.11 views

GHSA-8H9W-W78C-VVR3 Mattermost does not verify remote cluster channel access when processing shared channel membership removals

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 fail to validate that a remote cluster has access to a channel before processing membership removal requests during shared channel membership sync, which allows a malicious remote cluster to remove any user from any channel,...

4.3CVSS5.8AI score0.00152EPSS
Exploits0References4
OSV
OSV
added 2026/05/18 9:31 a.m.10 views

GHSA-HQPJ-F3JH-29VX Mattermost doesn't validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation which allows an authenticated attacker to bypass token rotation and reuse the original invite token via sending a craft...

3.7CVSS5.8AI score0.00142EPSS
Exploits0References4
Rows per page
Query Builder