PatchSiren cyber security CVE debrief
CVE-2026-6334 Mattermost CVE debrief
CVE-2026-6334 is a low-severity OAuth authorization flaw reported for Mattermost. According to the CVE description and NVD record, affected versions fail to enforce client identity binding during authorization code redemption, which can allow one authenticated OAuth client to redeem an authorization code issued to a different client. The issue was published on 2026-05-18 and the only cited vendor reference in the supplied corpus is Mattermost’s security updates page.
- Vendor
- Mattermost
- Product
- Unknown
- CVSS
- LOW 3.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-18
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-18
- Advisory updated
- 2026-05-18
Who should care
Mattermost administrators, teams operating OAuth integrations against Mattermost, and identity/security owners responsible for connected client apps should review this issue, especially if they run Mattermost 11.5.x up to 11.5.1 or 10.11.x up to 10.11.13.
Technical summary
The supplied NVD data describes a client-binding failure in the OAuth authorization code redemption flow. The CVSS vector (AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N) indicates network reachability, but with higher attack complexity, required privileges, and user interaction. The cited weakness is CWE-305 (Authentication Bypass by Primary Weakness). The practical impact is limited confidentiality and integrity exposure within OAuth client trust boundaries, rather than availability impact.
Defensive priority
Moderate priority for environments using Mattermost OAuth clients. The severity is low, but the flaw affects authentication/authorization correctness and can undermine trust between OAuth clients if left unpatched.
Recommended defensive actions
- Confirm whether your Mattermost deployment is in the affected version ranges: 11.5.x up to 11.5.1 or 10.11.x up to 10.11.13.
- Review Mattermost’s security updates page and apply the vendor-recommended fixed release as soon as it is available in your maintenance path.
- Audit configured OAuth clients and redirect/trust relationships for unexpected cross-client authorization behavior.
- Monitor authentication and OAuth token exchange logs for unusual authorization code redemption patterns or client mismatches.
- If immediate patching is not possible, reduce exposure by limiting OAuth client usage to trusted integrations and tightening administrative oversight of connected apps.
Evidence notes
This debrief is based only on the supplied NVD record and the referenced Mattermost security updates URL. The corpus does not include the full vendor advisory text, so implementation details beyond the CVE description are not asserted here. Vendor/product naming in the source metadata is marked low confidence and needs review, though the CVE description itself identifies Mattermost and affected versions.
Official resources
-
CVE-2026-6334 CVE record
CVE.org
-
CVE-2026-6334 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
Published on 2026-05-18. The supplied source corpus provides the CVE record and a vendor security-updates reference, but not a separate full advisory text.