Description
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate the Host header when constructing response URLs for custom slash commands which allows an authenticated attacker to redirect slash command responses to an attacker-controlled server via a spoofed Host header.. Mattermost Advisory ID: MMSA-2026-00582
Published: 2026-05-18
Score: 3.5 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when Mattermost forms response URLs for custom slash commands without validating the Host header, enabling an authenticated attacker to spoof that header and cause the slash command response to be redirected to an attacker‑controlled server. This allows the attacker to retrieve the command response payload, potentially exposing sensitive data transmitted by the slash command. The flaw represents a type of SSRF that can surface confidential information to an external system.

Affected Systems

The issue affects Mattermost instances running version 11.5.1 or earlier, as well as versions 10.11.13 and earlier. Any environment where the vulnerable versions are deployed and custom slash commands are enabled is susceptible. The official advisory recommends updating to 11.6.0, 11.5.2, or 10.11.14 and later releases.

Risk and Exploitability

The CVSS base score of 3.5 indicates low severity, and there is no EPSS score, signaling a low documented exploitation probability. The vulnerability requires that the attacker already possess authenticated access to the Mattermost instance or a foothold within the network. While the leak can expose internal data, it does not allow arbitrary code execution or privilege escalation on the server itself. Organizations should treat this as a low‑to‑moderate risk that could be mitigated by applying the release fix.

Generated by OpenCVE AI on May 18, 2026 at 10:22 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.6.0, 11.5.2, 10.11.14 or higher.

OpenCVE Recommended Actions

  • Upgrade Mattermost to the latest supported release (10.11.14+, 11.5.2+, or 11.6.0+).
  • If an immediate upgrade is not possible, temporarily disable custom slash commands or restrict them to a trusted domain.
  • Configure the application server or reverse proxy to validate the Host header and reject requests with spoofed values.

Generated by OpenCVE AI on May 18, 2026 at 10:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://mattermost.com/security-updates cve-icon cve-icon
History

Mon, 18 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Mon, 18 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate the Host header when constructing response URLs for custom slash commands which allows an authenticated attacker to redirect slash command responses to an attacker-controlled server via a spoofed Host header.. Mattermost Advisory ID: MMSA-2026-00582
Title SSRF via Host Header Spoofing in Custom Slash Commands
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N'}

Subscriptions

Mattermost Mattermost
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-05-18T08:41:29.342Z

Reserved: 2026-04-15T08:51:33.309Z

Link: CVE-2026-6333

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-18T09:16:23.430

Modified: 2026-05-18T09:16:23.430

Link: CVE-2026-6333

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T10:30:23Z

Weaknesses