CVE-2026-28759 Mattermost CVE debrief

Who should care

Mattermost administrators and security teams running shared channels or remote-cluster synchronization should care most, especially if they operate affected server versions in the 10.11.x, 11.4.x, or 11.5.x release lines.

Technical summary

Mattermost did not properly validate that a remote cluster had access to a channel before processing membership removal requests during shared channel membership sync. That authorization gap lets a malicious remote cluster target channels it should not access and remove any user from those channels. NVD maps the issue to CWE-863 and lists affected versions as Mattermost Server 10.11.0 through 10.11.13, 11.4.0 through 11.4.3, and 11.5.0 through 11.5.1.

Defensive priority

Medium priority: the flaw is network-reachable and can affect confidentiality-sensitive channel access controls, but the published CVSS score is moderate and impacts integrity rather than availability.

Recommended defensive actions

• Upgrade Mattermost Server to a fixed release: 10.11.14 or later, 11.4.4 or later, or 11.5.2 or later.
• Review your use of shared channels and remote-cluster synchronization, and restrict it to trusted partners only.
• Monitor for unexpected channel membership removals in environments that use shared-channel sync.
• Follow the vendor guidance on Mattermost's security updates page referenced by the advisory.

Evidence notes

Source corpus shows an official NVD record marked "Analyzed" with CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N and CWE-863. The affected CPE ranges in NVD are Mattermost Server 10.11.0-10.11.13, 11.4.0-11.4.3, and 11.5.0-11.5.1. NVD references the Mattermost security updates page as the vendor advisory source.

Official resources