Description
Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to validate CSRF tokens on an authentication endpoint which allows an attacker to update a user's authentication method via a CSRF attack by tricking a user into visiting a malicious page. Mattermost Advisory ID: MMSA-2026-00625
Published: 2026-04-15
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Modification of user authentication
Action: Immediate Patch
AI Analysis

Impact

The vulnerability lies in the lack of CSRF token validation on an authentication endpoint, a security weakness categorized as CWE‑352. An attacker can force an authenticated user to execute a forged request that changes the user’s authentication method, potentially granting the attacker control over that account. This modification subverts the intended authentication flow and can lead to unauthorized access to a user’s data.

Affected Systems

The flaw affects Mattermost deployments running versions 10.11.x through 10.11.12, 11.5.x through 11.5.0, 11.4.x through 11.4.2, and 11.3.x through 11.3.2. All affected instances are susceptible if they have the vulnerable authentication endpoint exposed.

Risk and Exploitability

The CVSS base score of 6.8 classifies the issue as moderately severe, and the lack of an EPSS score indicates no current evidence of exploitation. The flaw is not listed in the CISA KEV catalog, suggesting it has not yet been actively leveraged. However, its exploit requires a victim to visit a malicious page, making a CSRF attack the likely vector. The vulnerability can be exploited without privileged access and only needs the victim to be authenticated to the target Mattermost instance.

Generated by OpenCVE AI on April 15, 2026 at 11:53 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 10.11.13, 11.5.1, 11.4.3, 11.3.3 or higher.

OpenCVE Recommended Actions

  • Apply a Mattermost update to version 10.11.13, 11.5.1, 11.4.3, 11.3.3, or a newer release that addresses CSRF validation.
  • If an immediate update is unavailable, deploy an auxiliary CSRF mitigation such as a web application firewall or enforce stricter same-site cookie policies to reduce the attack surface.
  • Restrict access to the authentication endpoint by applying network segmentation or limiting allowed IP addresses to mitigate CSRF risk.

Generated by OpenCVE AI on April 15, 2026 at 11:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://mattermost.com/security-updates cve-icon cve-icon
History

Wed, 15 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Wed, 15 Apr 2026 10:45:00 +0000

Type Values Removed Values Added
Description Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to validate CSRF tokens on an authentication endpoint which allows an attacker to update a user's authentication method via a CSRF attack by tricking a user into visiting a malicious page. Mattermost Advisory ID: MMSA-2026-00625
Title CSRF Protection Bypass Allows Updating a User's Authentication Method
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Mattermost Mattermost
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-04-15T15:39:52.265Z

Reserved: 2026-03-10T13:45:39.984Z

Link: CVE-2026-28741

cve-icon Vulnrichment

Updated: 2026-04-15T15:39:11.734Z

cve-icon NVD

Status : Received

Published: 2026-04-15T11:16:33.450

Modified: 2026-04-15T11:16:33.450

Link: CVE-2026-28741

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T13:49:14Z

Weaknesses