Description
Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to have API-level checks on which groups the user can create issues or attach comments to which allows a user that is member of multiple groups to create issues to a locked group via direct API requests. Mattermost Advisory ID: MMSA-2026-00602
Published: 2026-05-18
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability results from missing API‑level permission checks in Mattermost plugins, allowing an authenticated user who belongs to multiple groups to create issues in a group that is configured as locked. This flaw does not enable code execution or privilege escalation beyond the user’s own group memberships, but it permits unauthorized content creation in protected groups, potentially disrupting collaboration and violating group isolation policies.

Affected Systems

Mattermost plugins with versions up to 11.5, 11.1.5, 10.13.11, and 11.3.4.0 are vulnerable. Any Mattermost installation running these plugin versions may allow an attacker to create issues in locked groups via the REST API.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate impact. EPSS is not available and the vulnerability is not listed in CISA’s KEV catalog, so the likelihood of exploitation is unknown but potentially low to moderate. The attack vector is directly through the API; an attacker only needs an authenticated account that is a member of more than one group. No elevated privileges or remote code execution are required, but the flaw permits bypassing intended group restrictions.

Generated by OpenCVE AI on May 18, 2026 at 09:20 UTC.

Remediation

Vendor Solution

Update Mattermost Plugins to versions 11.6.0, 11.5.2, 10.11.14, 11.4.4 or higher.

OpenCVE Recommended Actions

  • Update Mattermost plugins to any of the fixed releases: 11.6.0, 11.5.2, 10.11.14, 11.4.4 or newer.
  • After updating, confirm that the group lock settings block API calls to create issues for locked groups and that correct role‑based access controls are in place.
  • If an immediate update is not possible, temporarily disable direct issue creation via the API for locked groups or enforce stricter role restrictions until the plugin is patched.

Generated by OpenCVE AI on May 18, 2026 at 09:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://mattermost.com/security-updates cve-icon cve-icon
History

Mon, 18 May 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Mon, 18 May 2026 08:00:00 +0000

Type Values Removed Values Added
Description Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to have API-level checks on which groups the user can create issues or attach comments to which allows a user that is member of multiple groups to create issues to a locked group via direct API requests. Mattermost Advisory ID: MMSA-2026-00602
Title Incomplete group locking implementation
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Mattermost Mattermost
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-05-18T07:05:03.305Z

Reserved: 2026-04-15T10:36:38.308Z

Link: CVE-2026-6341

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-18T08:16:14.580

Modified: 2026-05-18T08:16:14.580

Link: CVE-2026-6341

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T09:30:22Z

Weaknesses