Description
Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to validate that an assigned incoming webhook user has access to the target team or channel, which allows a requester with webhook management permissions to create posts or direct messages attributed to another user via crafted incoming webhook configuration and payloads.. Mattermost Advisory ID: MMSA-2026-00683
Published: 2026-07-13
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Mattermost versions up to 11.7.2, 11.6.4, and 10.11.19 incorrectly allow a configured incoming webhook to post or send direct messages as an arbitrary user without verifying that the webhook’s owner has proper access to the target team or channel. This flaw can enable an attacker who has webhook‑management permissions to impersonate other users, potentially leaking confidential information or misleading stakeholders. The weakness is a lack of proper authorization controls (CWE‑639).

Affected Systems

The vulnerability impacts Mattermost installations running any of the following: 10.11.x up to 10.11.19, 11.6.x up to 11.6.4, or 11.7.x up to 11.7.2. Upgrading to 11.8.0, 11.7.3, 11.6.5, 10.11.20 or later eliminates the flaw.

Risk and Exploitability

With a CVSS score of 4.9, the flaw is assessed as moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires an attacker to hold webhook‑management permission, after which they can craft the webhook configuration and payload to create messages or direct messages attributable to any user. The vector is inferred to be remote, via manipulation of the incoming webhook mechanism. The impact is limited to impersonation and potential data leakage within the affected Mattermost instance.

Generated by OpenCVE AI on July 13, 2026 at 17:25 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.8.0, 11.7.3, 11.6.5, 10.11.20 or higher.


OpenCVE Recommended Actions

  • Apply the Mattermost update to 11.8.0 or later to remove the authorization bypass in incoming webhook handling.
  • Review all existing incoming webhook configurations, ensuring each webhook’s owner has legitimate access to the intended team or channel, and re‑configure or delete any that do not meet this criterion.
  • Restrict webhook‑management permissions to the minimum set of trusted roles and periodically audit those permissions to maintain least privilege for this sensitive capability.

Generated by OpenCVE AI on July 13, 2026 at 17:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
History

Mon, 13 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 13 Jul 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Mon, 13 Jul 2026 08:45:00 +0000

Type Values Removed Values Added
Description Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to validate that an assigned incoming webhook user has access to the target team or channel, which allows a requester with webhook management permissions to create posts or direct messages attributed to another user via crafted incoming webhook configuration and payloads.. Mattermost Advisory ID: MMSA-2026-00683
Title Incoming webhook user attribution via unvalidated webhook owner
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N'}


Subscriptions

Mattermost Mattermost
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-07-13T14:45:16.207Z

Reserved: 2026-05-27T13:46:27.399Z

Link: CVE-2026-9708

cve-icon Vulnrichment

Updated: 2026-07-13T14:44:59.987Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-13T17:30:04Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key