Lucene search
K

5 matches found

OSV
OSV
added 2026/05/18 9:31 a.m.11 views

GHSA-8H9W-W78C-VVR3 Mattermost does not verify remote cluster channel access when processing shared channel membership removals

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 fail to validate that a remote cluster has access to a channel before processing membership removal requests during shared channel membership sync, which allows a malicious remote cluster to remove any user from any channel,...

4.3CVSS5.8AI score0.00152EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/05/18 9:31 a.m.10 views

Mattermost does not verify remote cluster channel access when processing shared channel membership removals

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 fail to validate that a remote cluster has access to a channel before processing membership removal requests during shared channel membership sync, which allows a malicious remote cluster to remove any user from any channel,...

4.3CVSS5.8AI score0.00152EPSS
Exploits0References4Affected Software2
ATTACKERKB
ATTACKERKB
added 2026/05/18 6:50 a.m.10 views

CVE-2026-28759

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 fail to validate that a remote cluster has access to a channel before processing membership removal requests during shared channel membership sync, which allows a malicious remote cluster to remove any user from any channel,...

4.3CVSS5.8AI score0.00152EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/18 12:0 a.m.16 views

PT-2026-41640

Name of the Vulnerable Software and Affected Versions Mattermost versions 11.5.0 through 11.5.1 Mattermost versions 10.11.0 through 10.11.13 Mattermost versions 11.4.0 through 11.4.3 Description An issue exists during shared channel membership sync where the system fails to validate if a remote...

4.3CVSS5.9AI score0.00152EPSS
Exploits0References8
OSV
OSV
added 2025/12/17 6:14 p.m.3 views

CVE-2025-13324 Lack of Invalidation of Legacy Remote Cluster Invite Tokens After Confirmation

Mattermost versions 10.11.x = 10.11.5, 11.0.x = 11.0.4, 10.12.x = 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy version 1 protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an invite token to...

3.7CVSS7.1AI score0.00167EPSS
Exploits0References3
Rows per page
Query Builder