Description
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate that a remote cluster has access to a channel before processing membership removal requests during shared channel membership sync, which allows a malicious remote cluster to remove any user from any channel, including private channels, via crafted membership sync messages targeting channels the remote cluster is not authorized to access. Mattermost Advisory ID: MMSA-2026-00576
Published: 2026-05-18
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Mattermost versions prior to 11.6.0, 11.5.2, 10.11.14, and 11.4.4 do not validate that a remote cluster is authorized to access a channel before processing membership removal requests during shared channel membership sync. This flaw enables a malicious remote cluster to craft membership sync messages that remove any user from any channel, including private channels, thereby bypassing authorization controls and disrupting communication.

Affected Systems

The vulnerability impacts Mattermost, affecting releases 11.5.x up to 11.5.1, 10.11.x up to 10.11.13, and 11.4.x up to 11.4.3.

Risk and Exploitability

The CVSS score is 4.3, indicating a moderate severity. EPSS data is unavailable and the vulnerability is not listed in CISA’s KEV catalog. Attackers need to control a remote cluster that can send synchronized membership messages; no direct end‑user credentials are required. The impact is limited to unauthorized removal of users but could disrupt team collaboration and expose private channel membership data. The risk remains moderate, especially in environments where untrusted remote clusters are allowed to sync with Mattermost.

Generated by OpenCVE AI on May 18, 2026 at 09:51 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.6.0, 11.5.2, 10.11.14, 11.4.4 or higher.

OpenCVE Recommended Actions

  • Update Mattermost to versions 11.6.0, 11.5.2, 10.11.14, 11.4.4 or later.
  • Restrict remote cluster connections to only trusted clusters using firewall rules or application settings, disabling unauthorized sync.
  • Review existing shared channel memberships and recreate channels if necessary to ensure no orphaned or unauthorized users remain.

Generated by OpenCVE AI on May 18, 2026 at 09:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://mattermost.com/security-updates cve-icon cve-icon
History

Mon, 18 May 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Mon, 18 May 2026 08:00:00 +0000

Type Values Removed Values Added
Description Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate that a remote cluster has access to a channel before processing membership removal requests during shared channel membership sync, which allows a malicious remote cluster to remove any user from any channel, including private channels, via crafted membership sync messages targeting channels the remote cluster is not authorized to access. Mattermost Advisory ID: MMSA-2026-00576
Title Insufficient authorization in shared channel membership sync allows remote cluster to remove users from arbitrary channels
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Mattermost Mattermost
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-05-18T06:50:07.346Z

Reserved: 2026-03-10T13:45:40.017Z

Link: CVE-2026-28759

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-18T08:16:13.573

Modified: 2026-05-18T08:16:13.573

Link: CVE-2026-28759

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T10:00:13Z

Weaknesses