PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-10106 Mattermost CVE debrief

CVE-2026-10106 is a vulnerability in Mattermost that allows an authenticated user without access to a private channel to trigger interactive post actions on posts in that channel. The vulnerability occurs because Mattermost fails to verify that the channel referenced in an action cookie matches the channel of the target post. This allows an authenticated user without access to a private channel to trigger interactive post actions on posts in that channel via a cookie obtained from any accessible channel. The vulnerability affects Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, and 10.11.x <= 10.11.19.

Vendor
Mattermost
Product
Unknown
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-13
Original CVE updated
2026-07-13
Advisory published
2026-07-13
Advisory updated
2026-07-13

Who should care

Users of Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, and 10.11.x <= 10.11.19 should be aware of this vulnerability and take steps to mitigate it. This includes updating Mattermost to a version that is not vulnerable, restricting access to sensitive channels, and monitoring for suspicious activity.

Technical summary

The vulnerability occurs because Mattermost fails to verify that the channel referenced in an action cookie matches the channel of the target post. This allows an authenticated user without access to a private channel to trigger interactive post actions on posts in that channel via a cookie obtained from any accessible channel. The vulnerability affects Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, and 10.11.x <= 10.11.19. There is no evidence of exploitation in the wild.

Defensive priority

Medium

Recommended defensive actions

  • Update Mattermost to a version that is not vulnerable
  • Restrict access to sensitive channels
  • Monitor for suspicious activity
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-07-13T09:16:23.770Z and has not been modified since then. The NVD entry is currently Received. The vulnerability affects Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, and 10.11.x <= 10.11.19. There is no evidence of exploitation in the wild. The CVE record was assigned by CVE.org.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T09:16:23.770Z and has not been modified since then.