Impact
Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to validate channel ownership of an existing subscription before applying edits. This flaw allows an authenticated attacker to send a crafted PUT request to the subscription edit endpoint and hijack subscriptions belonging to channels that they do not have access to. The vulnerability enables the attacker to divert or manipulate subscription data that belongs to other users, compromising confidentiality and integrity of subscription information and potentially exposing underlying channel content.
Affected Systems
Mattermost versions 10.11.x through 11.7.0 are affected, including 10.11.0 to 10.11.17, 11.5.0 to 11.5.5, 11.6.0 to 11.6.2, and 11.7.0 and earlier. The vulnerability uses the subscription edit API and requires authentication. All installations that utilize the subscription feature and expose the API endpoint are at risk.
Risk and Exploitability
The CVSS score of 6.4 classifies the issue as a medium severity vulnerability. The EPSS data is not available, so the current exploitation probability cannot be quantified. It is not listed in the CISA KEV catalog. The flaw is exploitable by any legitimate user who has a valid authentication token for the Mattermost server and can construct the appropriate request payload. Because the vulnerability does not require privilege beyond normal user access, the attack surface is broad across organizations that use the subscription feature.
OpenCVE Enrichment