Impact
Mattermost versions up to 11.7.2, 11.6.4, and 10.11.19 incorrectly allow a configured incoming webhook to post or send direct messages as an arbitrary user without verifying that the webhook’s owner has proper access to the target team or channel. This flaw can enable an attacker who has webhook‑management permissions to impersonate other users, potentially leaking confidential information or misleading stakeholders. The weakness is a lack of proper authorization controls (CWE‑639).
Affected Systems
The vulnerability impacts Mattermost installations running any of the following: 10.11.x up to 10.11.19, 11.6.x up to 11.6.4, or 11.7.x up to 11.7.2. Upgrading to 11.8.0, 11.7.3, 11.6.5, 10.11.20 or later eliminates the flaw.
Risk and Exploitability
With a CVSS score of 4.9, the flaw is assessed as moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires an attacker to hold webhook‑management permission, after which they can craft the webhook configuration and payload to create messages or direct messages attributable to any user. The vector is inferred to be remote, via manipulation of the incoming webhook mechanism. The impact is limited to impersonation and potential data leakage within the affected Mattermost instance.
OpenCVE Enrichment