Description
Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to invalidate cached authentication state for active WebSocket connections during global session revocation, which allows a user with an existing WebSocket connection to remain authenticated and continue receiving real-time events until the cached session expires or the client reconnects.. Mattermost Advisory ID: MMSA-2026-00664
Published: 2026-06-22
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Mattermost versions 11.7.x through 10.11.x fail to invalidate the cached authentication state for active WebSocket connections when a global session revocation event occurs. As a result, a user who already has an open WebSocket connection remains authenticated and continues to receive real‑time updates until the cached session expires or the client reconnects. This gives an attacker with a valid session the ability to maintain a privileged connection beyond the intended revocation period, potentially exposing sensitive data or allowing continued interaction with the system.

Affected Systems

Affected systems are Mattermost installations running the following versions: 11.7.0 and earlier, 11.6.2 and earlier, 11.5.5 and earlier, and 10.11.17 and earlier. The issue is present only in the mentioned releases and not in newer Mattermost releases.

Risk and Exploitability

The CVSS score is 4.3, which places the vulnerability in the moderate range. EPSS data is not available and the vulnerability is not listed in the current CISA KEV catalog. Exploitation requires that an attacker already has an active WebSocket session when a global revocation is performed. The attacker can then maintain authenticated activity until the session cache naturally expires or the client side reconnects, providing an unintentional persistence of access.

Generated by OpenCVE AI on June 22, 2026 at 14:36 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.8.0, 11.7.1, 11.6.3, 11.5.6, 10.11.18 or higher.


OpenCVE Recommended Actions

  • Update Mattermost to version 11.8.0, 11.7.1, 11.6.3, 11.5.6, 10.11.18 or any later release as specified in the official advisory.
  • Review and test that global session revocation properly clears cached state for all active WebSocket connections in your deployment.
  • As a short‑term workaround, configure client applications to explicitly terminate and reconnect WebSocket connections immediately after a global revocation event.

Generated by OpenCVE AI on June 22, 2026 at 14:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
History

Mon, 22 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to invalidate cached authentication state for active WebSocket connections during global session revocation, which allows a user with an existing WebSocket connection to remain authenticated and continue receiving real-time events until the cached session expires or the client reconnects.. Mattermost Advisory ID: MMSA-2026-00664
Title Global session revocation does not invalidate active WebSocket connections
Weaknesses CWE-613
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}


Subscriptions

Mattermost Mattermost
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-06-22T15:40:07.851Z

Reserved: 2026-05-21T11:17:28.560Z

Link: CVE-2026-9162

cve-icon Vulnrichment

Updated: 2026-06-22T15:40:00.175Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T16:15:16Z

Weaknesses
  • CWE-613

    Insufficient Session Expiration