CVE-2026-6046 Mattermost CVE debrief

Who should care

Users of Mattermost, particularly those who have plugins installed that send private messages via direct message channels, should be aware of this vulnerability. Administrators of Mattermost instances should prioritize patching to prevent potential exploitation.

Technical summary

The vulnerability is caused by inadequate validation of usernames during bot registration. Specifically, Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, and 10.11.x <= 10.11.16 are affected. An attacker can exploit this by pre-registering a user account with a predictable plugin bot username, allowing them to intercept private messages sent by plugins.

Defensive priority

Medium

Recommended defensive actions

• Apply patches or updates provided by Mattermost to address the vulnerability.
• Review and update Mattermost instances to ensure they are running a version that has addressed this issue.
• Monitor for any suspicious activity related to bot registrations and private message channels.

Evidence notes

The CVE-2026-6046 vulnerability has been documented by Mattermost and is tracked under Mattermost Advisory ID: MMSA-2026-00649. For more information, refer to the official CVE record [cve-org] and the NVD detail page [nvd].

Official resources