Description
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate the OAuth token scope on the callback which allows an authenticated Mattermost user to gain access to private repositories via modifying the scope parameter in the GitHub authorization URL.. Mattermost Advisory ID: MMSA-2026-00628
Published: 2026-05-22
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Mattermost versions through 10.11.14, 11.4.4, 11.5.3, and 11.6.0 do not properly validate the scope of OAuth tokens returned by GitHub. The flaw allows an authenticated Mattermost user to alter the scope parameter in the GitHub authorization URL during the callback process, thus receiving an access token with permissions to private repositories. This grants the user unauthorized read access to sensitive repositories and their contents.

Affected Systems

Affected products are Mattermost releases: 10.11.x through 10.11.14, 11.4.x through 11.4.4, 11.5.x through 11.5.3, and 11.6.x through 11.6.0.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity. The EPSS score is not available and the vulnerability is not listed in CISA KEV, suggesting limited evidence of exploitation in the wild. An attacker must be an authenticated user of Mattermost and must have access to the OAuth flow; no remote code execution or privilege escalation is required. The risk is confined to the potential exposure of private repository data by users who can manipulate the OAuth request.

Generated by OpenCVE AI on May 22, 2026 at 17:20 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.7.0, 11.6.1, 11.5.4, 11.4.5, 10.11.15 or higher.

OpenCVE Recommended Actions

  • Upgrade Mattermost to a supported version: 10.11.15, 11.4.5, 11.5.4, 11.6.1, or 11.7.0 or later.
  • Verify that the OAuth callback endpoint enforces strict scope validation and rejects any unauthorized scopes during token exchange.
  • Review and harden repository access controls to restrict sensitive data to only those users who truly require it.

Generated by OpenCVE AI on May 22, 2026 at 17:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://mattermost.com/security-updates cve-icon
History

Fri, 22 May 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Fri, 22 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate the OAuth token scope on the callback which allows an authenticated Mattermost user to gain access to private repositories via modifying the scope parameter in the GitHub authorization URL.. Mattermost Advisory ID: MMSA-2026-00628
Title GitHub OAuth Scope Validation
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Mattermost Mattermost
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-05-22T16:56:09.671Z

Reserved: 2026-03-10T13:45:39.998Z

Link: CVE-2026-28735

cve-icon Vulnrichment

Updated: 2026-05-22T16:55:49.531Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T17:30:06Z

Weaknesses