Description
Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to appropriately check for valid namespaces which allows plugin users to create subscriptions to groups that were not whitelisted via creating groups that share the same prefix as a whitelisted group. Mattermost Advisory ID: MMSA-2026-00601
Published: 2026-05-18
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Mattermost Plugins versions older than the ones listed fail to properly validate namespace prefixes when creating group subscriptions. This allows a plugin user to craft a group name that shares the same prefix as an approved group, thereby obtaining a subscription to that group without having the required authorization. The flaw is an authorization bypass in which an attacker can subscribe to arbitrary groups, potentially accessing messages or data that should be restricted.

Affected Systems

The check applies to Mattermost Plugins for the Mattermost collaboration platform. Vulnerable versions include those up to 11.5, 11.1.5, 10.13.11, and 11.3.4.0. Administrators should confirm the installed plugin version and apply the available updates as soon as possible.

Risk and Exploitability

The CVSS score of 4.3 categorizes this issue as moderate risk. While a plugin user with sufficient permissions could exploit the flaw by creating a synthetic group name, no exploitation code is publicly documented and the EPSS score is not available, indicating a low but uncertain probability of exploitation. The vulnerability is also not listed in the CISA KEV catalog.

Generated by OpenCVE AI on May 18, 2026 at 09:20 UTC.

Remediation

Vendor Solution

Update Mattermost Plugins to versions 11.6.0, 11.5.2, 10.11.14, 11.4.4 or higher.

OpenCVE Recommended Actions

  • Update Mattermost Plugins to a safe version (11.6.0, 11.5.2, 10.11.14, 11.4.4 or higher).
  • If immediate updating is not possible, disable or remove the vulnerable plugin until the patch is applied.
  • Re‑evaluate group namespace policies to enforce explicit whitelist checks and prevent unintended prefix matching.

Generated by OpenCVE AI on May 18, 2026 at 09:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://mattermost.com/security-updates cve-icon cve-icon
History

Mon, 18 May 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Mon, 18 May 2026 08:00:00 +0000

Type Values Removed Values Added
Description Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to appropriately check for valid namespaces which allows plugin users to create subscriptions to groups that were not whitelisted via creating groups that share the same prefix as a whitelisted group. Mattermost Advisory ID: MMSA-2026-00601
Title Group prefix matching bypass for subscriptions
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Mattermost Mattermost
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-05-18T07:00:24.969Z

Reserved: 2026-04-15T10:38:08.317Z

Link: CVE-2026-6342

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-18T08:16:14.717

Modified: 2026-05-18T08:16:14.717

Link: CVE-2026-6342

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T10:00:12Z

Weaknesses