Description
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15 fail to sanitize the Remote Cluster API response on PATCH operations, which allows authenticated users with the {{manage_secure_connections}} permission to obtain remote cluster authentication tokens via a PATCH request to the remote cluster endpoint.. Mattermost Advisory ID: MMSA-2026-00662
Published: 2026-06-12
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Mattermost 11.6.x through 10.11.x fail to sanitize the Remote Cluster API response on PATCH operations, exposing remote cluster authentication tokens to any authenticated user with the manage_secure_connections permission. This credential leakage allows an attacker who has authorized access to the Mattermost instance to obtain tokens that can authenticate to remote clusters, potentially facilitating unauthorized control or data exfiltration.

Affected Systems

Mattermost Mattermost; affected versions are 11.6.x up to 11.6.1, 11.5.x up to 11.5.4, and 10.11.x up to 10.11.15. The vulnerability is resolved in patched releases 11.7.0, 11.6.2, 11.5.5, 10.11.17 or any newer version.

Risk and Exploitability

The CVSS score of 6.5 signals a moderate severity risk. The EPSS score is not available and the vulnerability is not present in CISA's KEV catalog, suggesting limited exploitation in the wild. Exploitation requires an authenticated user with the manage_secure_connections permission, constraining the attack surface to privileged administrators. However, once credentials are leaked, an attacker could use them for lateral movement or unauthorized access to remote cluster resources.

Generated by OpenCVE AI on June 12, 2026 at 18:23 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.7.0, 11.6.2, 11.5.5, 10.11.17 or higher.

OpenCVE Recommended Actions

  • Upgrade Mattermost to a patched version (11.7.0, 11.6.2, 11.5.5, 10.11.17, or later).
  • Restrict the manage_secure_connections permission to trusted administrators only and review user roles.
  • If upgrading immediately is not possible, temporarily disable the Remote Cluster feature or remove exposed tokens from the cluster configuration until the patch can be applied.

Generated by OpenCVE AI on June 12, 2026 at 18:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://mattermost.com/security-updates cve-icon cve-icon
History

Fri, 12 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Fri, 12 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15 fail to sanitize the Remote Cluster API response on PATCH operations, which allows authenticated users with the {{manage_secure_connections}} permission to obtain remote cluster authentication tokens via a PATCH request to the remote cluster endpoint.. Mattermost Advisory ID: MMSA-2026-00662
Title Mattermost Remote Cluster PATCH API Leaks Authentication Tokens
Weaknesses CWE-201
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Mattermost Mattermost
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-06-12T17:19:11.611Z

Reserved: 2026-04-27T10:44:00.842Z

Link: CVE-2026-7184

cve-icon Vulnrichment

Updated: 2026-06-12T17:19:08.585Z

cve-icon NVD

Status : Received

Published: 2026-06-12T17:16:27.530

Modified: 2026-06-12T17:16:27.530

Link: CVE-2026-7184

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T19:00:20Z

Weaknesses
  • CWE-201

    Insertion of Sensitive Information Into Sent Data