Description
Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 Fail to validate channel ownership of an existing subscription before applying edits which allows an authenticated attacker to hijack subscriptions from channels they have no access to via a crafted PUT request to the subscription edit endpoint.. Mattermost Advisory ID: MMSA-2026-00650
Published: 2026-06-22
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to validate channel ownership of an existing subscription before applying edits. This flaw allows an authenticated attacker to send a crafted PUT request to the subscription edit endpoint and hijack subscriptions belonging to channels that they do not have access to. The vulnerability enables the attacker to divert or manipulate subscription data that belongs to other users, compromising confidentiality and integrity of subscription information and potentially exposing underlying channel content.

Affected Systems

Mattermost versions 10.11.x through 11.7.0 are affected, including 10.11.0 to 10.11.17, 11.5.0 to 11.5.5, 11.6.0 to 11.6.2, and 11.7.0 and earlier. The vulnerability uses the subscription edit API and requires authentication. All installations that utilize the subscription feature and expose the API endpoint are at risk.

Risk and Exploitability

The CVSS score of 6.4 classifies the issue as a medium severity vulnerability. The EPSS data is not available, so the current exploitation probability cannot be quantified. It is not listed in the CISA KEV catalog. The flaw is exploitable by any legitimate user who has a valid authentication token for the Mattermost server and can construct the appropriate request payload. Because the vulnerability does not require privilege beyond normal user access, the attack surface is broad across organizations that use the subscription feature.

Generated by OpenCVE AI on June 22, 2026 at 15:05 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.8.0, 11.7.1, 11.6.3, 11.5.6, 10.11.18 or higher.


OpenCVE Recommended Actions

  • Update Mattermost to version 11.8.0, 11.7.1, 11.6.3, 11.5.6, 10.11.18 or any later release as specified by the vendor
  • After upgrading, confirm that subscription edit requests now validate channel ownership before applying changes
  • Review recent subscription edits for unauthorized moves and roll back any inappropriate changes if discovered

Generated by OpenCVE AI on June 22, 2026 at 15:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
History

Mon, 22 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Mon, 22 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 Fail to validate channel ownership of an existing subscription before applying edits which allows an authenticated attacker to hijack subscriptions from channels they have no access to via a crafted PUT request to the subscription edit endpoint.. Mattermost Advisory ID: MMSA-2026-00650
Title IDOR in Jira plugin subscription edit endpoint
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L'}


Subscriptions

Mattermost Mattermost
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-06-22T15:41:48.877Z

Reserved: 2026-04-10T10:57:59.278Z

Link: CVE-2026-6062

cve-icon Vulnrichment

Updated: 2026-06-22T15:41:39.233Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T15:45:03Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key