Description
Mattermost versions 10.11.x <= 10.11.12 fail to validate whether users were correctly owned by the correct Connected Workspace which allows a malicious remote server connected using the Conntexted Workspaces feature to change the displayed status of local users via the Connected Workspaces API.. Mattermost Advisory ID: MMSA-2026-00603
Published: 2026-04-15
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized status manipulation due to missing authorization checks
Action: Apply Patch
AI Analysis

Impact

Mattermost versions 10.11.x through 10.11.12 do not confirm that users belong to the Connected Workspace that owns them. This oversight allows a malicious remote server that has been provisioned to connect to the target via the Connected Workspaces feature to send API calls that change the displayed status of local users. The impact is a compromise of the integrity of user status information; confidentiality and code execution are not affected by this flaw. The potential for social‑engineering attacks is inferred from the ability to alter user status, but the CVE description does not explicitly state that such attacks are feasible.

Affected Systems

The affected software is Mattermost. Vulnerable versions are 10.11.0 through 10.11.12. Updated releases 10.11.13 or later, and any 11.5.0 or newer, contain the fix.

Risk and Exploitability

The CVSS score of 2.7 indicates low severity. No EPSS data is available, and the flaw is not listed in the CISA KEV catalog. The attack requires a malicious remote server that has been provisioned to connect to the target through the Connected Workspaces API; no privileged local user or local code execution is necessary. Because the flaw permits only status modification, the operational impact is limited, and exploitation is unlikely to lead to broader system compromise.

Generated by OpenCVE AI on April 15, 2026 at 11:53 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.5.0, 10.11.13 or higher.

OpenCVE Recommended Actions

  • Upgrade Mattermost to 11.5.0, 10.11.13, or later versions.
  • Disable or tightly restrict the Connected Workspaces feature until the patch is applied, ensuring that only trusted remote servers can register.
  • Monitor Connected Workspaces API logs for unexpected status change requests and review the list of approved remote servers.

Generated by OpenCVE AI on April 15, 2026 at 11:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://mattermost.com/security-updates cve-icon cve-icon
History

Wed, 15 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Wed, 15 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 10:45:00 +0000

Type Values Removed Values Added
Description Mattermost versions 10.11.x <= 10.11.12 fail to validate whether users were correctly owned by the correct Connected Workspace which allows a malicious remote server connected using the Conntexted Workspaces feature to change the displayed status of local users via the Connected Workspaces API.. Mattermost Advisory ID: MMSA-2026-00603
Title Connected Workspaces: Malicious remote server can manipulate arbitrary user's status
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Mattermost Mattermost
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-04-15T13:08:35.452Z

Reserved: 2026-03-16T08:51:03.250Z

Link: CVE-2026-27769

cve-icon Vulnrichment

Updated: 2026-04-15T13:08:32.237Z

cve-icon NVD

Status : Received

Published: 2026-04-15T11:16:33.017

Modified: 2026-04-15T11:16:33.017

Link: CVE-2026-27769

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T13:49:14Z

Weaknesses