CVE-2026-6046 - Vulnerability Details

- Plugin bot username conflict allows user account to be used as bot identity in Mattermost Server

Description

Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to validate that a username returned during bot registration belongs to a bot account, which allows an unprivileged attacker to intercept private messages sent by plugins via direct message channels by pre-registering a user account with a predictable plugin bot username.. Mattermost Advisory ID: MMSA-2026-00649

Published: 2026-06-12

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Mattermost versions prior to the listed fixes allow a bot-username validation gap during bot registration. An attacker who can create a user account with a predictable plugin bot username can masquerade as that bot and receive direct messages that are intended for the legitimate bot. This exposes the contents of private conversations between the bot and other users, thereby compromising confidentiality.

Affected Systems

Mattermost Server versions 10.11.0 through 10.11.15, 10.11.16, 11.5.0 through 11.5.4, and 11.6.0 through 11.6.1 are vulnerable. These versions lack validation that a username returned during bot registration belongs to a bot account, which allows an attacker to intercept private messages sent by plugins via direct message channels.

Risk and Exploitability

The CVSS score of 5.3 indicates medium severity. The attacker only needs to create a non-privileged user account to exploit the flaw, so the barrier to exploitation is low and no elevated privileges are required. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Likely attack vectors include local or remote account creation on the Mattermost instance, with the attacker intercepting private messages intended for plugins. The impact is primarily confidentiality leakage with potential to disrupt plugin functionality.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Mattermost

unaffected

Version	Status	Constraints
`11.6.0`	affected	≤ 11.6.1
`11.5.0`	affected	≤ 11.5.4
`10.11.0`	affected	≤ 10.11.15
`10.11.0`	affected	≤ 10.11.16
`11.7.0`	unaffected	—
`11.6.2`	unaffected	—
`11.5.5`	unaffected	—
`10.11.16`	unaffected	—
`10.11.17`	unaffected	—

No data.

Vendor Product Confidence Versions

Mattermost

100%

Version	Status	Scheme	Platform
`[11.6.0,11.6.1]`	affected	semver	—
`[11.5.0,11.5.4]`	affected	semver	—
`[10.11.0,10.11.15]`	affected	semver	—
`[10.11.0,10.11.16]`	affected	semver	—
`11.7.0`	unaffected	semver	—
`11.6.2`	unaffected	semver	—
`11.5.5`	unaffected	semver	—
`10.11.16`	unaffected	semver	—
`10.11.17`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Update Mattermost to versions 11.7.0, 11.6.2, 11.5.5, 10.11.16, 10.11.17 or higher.

OpenCVE Recommended Actions

Update Mattermost to a patched release (minimum 11.7.0, 11.6.2, 11.5.5, 10.11.16, or 10.11.17).
As an interim measure, disable or restrict direct‑message channels for plugins until the update is applied.
Continuously monitor user accounts for names that match known bot usernames and review direct‑message logs for anomalous activity.

Generated by OpenCVE AI on June 12, 2026 at 18:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00031.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://mattermost.com/security-updates

History

Fri, 12 Jun 2026 18:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mattermost Mattermost mattermost
Vendors & Products		Mattermost Mattermost mattermost

Fri, 12 Jun 2026 18:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 12 Jun 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to validate that a username returned during bot registration belongs to a bot account, which allows an unprivileged attacker to intercept private messages sent by plugins via direct message channels by pre-registering a user account with a predictable plugin bot username.. Mattermost Advisory ID: MMSA-2026-00649
Title		Plugin bot username conflict allows user account to be used as bot identity in Mattermost Server
Weaknesses		CWE-200
References		https://mattermost.com/security-updates
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Mattermost Mattermost

MITRE

Status: PUBLISHED

Assigner: Mattermost

Published: 2026-06-12T15:52:33.505Z

Updated: 2026-06-12T17:18:30.553Z

Reserved: 2026-04-09T19:20:26.868Z

Link: CVE-2026-6046

Vulnrichment

Updated: 2026-06-12T17:18:27.704Z

NVD

Status : Received

Published: 2026-06-12T17:16:26.957

Modified: 2026-06-12T17:16:26.957

Link: CVE-2026-6046

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-12T19:00:21Z

Weaknesses

CWE-200
Exposure of Sensitive Information to an Unauthorized Actor

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object