PatchSiren cyber security CVE debrief
CVE-2026-10106 Mattermost CVE debrief
CVE-2026-10106 is a vulnerability in Mattermost that allows an authenticated user without access to a private channel to trigger interactive post actions on posts in that channel. The vulnerability occurs because Mattermost fails to verify that the channel referenced in an action cookie matches the channel of the target post. This allows an authenticated user without access to a private channel to trigger interactive post actions on posts in that channel via a cookie obtained from any accessible channel. The vulnerability affects Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, and 10.11.x <= 10.11.19.
- Vendor
- Mattermost
- Product
- Unknown
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-13
- Original CVE updated
- 2026-07-13
- Advisory published
- 2026-07-13
- Advisory updated
- 2026-07-13
Who should care
Users of Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, and 10.11.x <= 10.11.19 should be aware of this vulnerability and take steps to mitigate it. This includes updating Mattermost to a version that is not vulnerable, restricting access to sensitive channels, and monitoring for suspicious activity.
Technical summary
The vulnerability occurs because Mattermost fails to verify that the channel referenced in an action cookie matches the channel of the target post. This allows an authenticated user without access to a private channel to trigger interactive post actions on posts in that channel via a cookie obtained from any accessible channel. The vulnerability affects Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, and 10.11.x <= 10.11.19. There is no evidence of exploitation in the wild.
Defensive priority
Medium
Recommended defensive actions
- Update Mattermost to a version that is not vulnerable
- Restrict access to sensitive channels
- Monitor for suspicious activity
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record was published on 2026-07-13T09:16:23.770Z and has not been modified since then. The NVD entry is currently Received. The vulnerability affects Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, and 10.11.x <= 10.11.19. There is no evidence of exploitation in the wild. The CVE record was assigned by CVE.org.
Official resources
-
CVE-2026-10106 CVE record
CVE.org
-
CVE-2026-10106 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T09:16:23.770Z and has not been modified since then.