Description
Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to properly validate user identity in the OpenID {{IsSameUser()}} comparison logic, which allows an attacker to take over arbitrary user accounts via an overly permissive substring matching flaw in the user discovery flow.. Mattermost Advisory ID: MMSA-2026-00590
Published: 2026-03-25
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Account Takeover
Action: Patch Now
AI Analysis

Impact

An authentication flaw in Mattermost server versions 10.11.x through 11.4.x causes the OpenID Connect identity comparison logic to perform an over permissive substring match, allowing attackers to impersonate any user. This results in unauthorized account takeover that can expose sensitive data, allow post creation, or facilitate further attacks. The weakness is categorized as improper authentication (CWE‑303).

Affected Systems

Affected vendors and products include Mattermost, specifically Mattermost Server versions up to 11.4.0, 11.3.1, 11.2.3, and 10.11.11. Updates to 11.5.0, 11.4.1, 11.3.2, 11.2.4, or 10.11.12 and later eliminate the flaw.

Risk and Exploitability

The CVSS base score is 5.7 indicating medium severity, while the EPSS score is below 1 % showing a relatively low likelihood of current exploitation. It is not listed in the CISA KEV catalog. Exploitation requires only remote access to the OpenID Connect authentication flow and the ability to craft a discovery request that includes a username substring of the target, making the attack feasible in many environments.

Generated by OpenCVE AI on March 26, 2026 at 20:55 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.5.0, 11.4.1, 11.3.2, 11.2.4, 10.11.12 or higher.

OpenCVE Recommended Actions

  • Apply the vendor patch by upgrading Mattermost Server to 11.5.0 or later, or to the latest 11.4.x/11.3.x/11.2.x/10.11.x releases.
  • Verify that the OpenID Connect configuration enforces strict user identity checks and that any custom authentication providers are updated.
  • Monitor authentication logs for unusual account impersonation attempts.

Generated by OpenCVE AI on March 26, 2026 at 20:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fg35-5rf6-qg3g Mattermost allows attackers to take over arbitrary user accounts via overly permissive substring matching flaw
References
Link Providers
https://mattermost.com/security-updates cve-icon cve-icon
History

Thu, 26 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost mattermost Server
CPEs cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
Vendors & Products Mattermost mattermost Server

Thu, 26 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to properly validate user identity in the OpenID {{IsSameUser()}} comparison logic, which allows an attacker to take over arbitrary user accounts via an overly permissive substring matching flaw in the user discovery flow.. Mattermost Advisory ID: MMSA-2026-00590
Title Account Takeover via Substring Matching in OpenID Connect Authentication
Weaknesses CWE-303
References
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Mattermost Mattermost Mattermost Server
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-03-26T13:19:52.338Z

Reserved: 2026-02-23T22:07:32.808Z

Link: CVE-2026-27656

cve-icon Vulnrichment

Updated: 2026-03-26T13:19:49.531Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T17:16:56.797

Modified: 2026-03-26T18:51:38.050

Link: CVE-2026-27656

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:30:33Z

Weaknesses