PatchSiren cyber security CVE debrief
CVE-2026-6341 Mattermost CVE debrief
A missing authorization check in Mattermost Plugins allows authenticated users with membership in multiple groups to bypass group-level restrictions when creating issues or attaching comments via direct API requests. The vulnerability stems from insufficient API-level validation of group permissions, enabling users to interact with locked groups they should not access. This affects Mattermost Plugins versions 11.5 and earlier, 11.1.5 and earlier, 10.13.11 and earlier, and 11.3.4.0 and earlier. The issue was disclosed by Mattermost through their security advisory process (MMSA-2026-00602) and carries a CVSS 3.1 score of 4.3 (Medium severity). The weakness is classified as CWE-863 (Incorrect Authorization). Organizations should review Mattermost's security updates for patch availability and assess their plugin configurations for group permission enforcement.
- Vendor
- Mattermost
- Product
- Unknown
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-18
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-18
- Advisory updated
- 2026-05-18
Who should care
Mattermost administrators managing multi-group deployments, security teams monitoring collaboration platform access controls, and organizations using Mattermost Plugins for issue tracking workflows with sensitive group-based data segregation requirements
Technical summary
The Mattermost Plugins API fails to validate group membership permissions when processing issue creation and comment attachment requests. Authenticated users belonging to multiple groups can craft direct API requests targeting locked groups, bypassing intended access restrictions that would be enforced in the user interface. The vulnerability is present in the plugin's API layer rather than the core application, affecting issue management functionality across multiple supported release branches.
Defensive priority
medium
Recommended defensive actions
- Review Mattermost security advisory MMSA-2026-00602 for detailed patch information and affected component specifics
- Upgrade Mattermost Plugins to versions beyond 11.5, 11.1.5, 10.13.11, or 11.3.4.0 as specified in vendor guidance
- Audit group permission configurations to ensure proper enforcement at both UI and API layers
- Implement API request monitoring for unusual issue creation or comment attachment patterns targeting locked groups
- Verify that custom integrations or automation using Mattermost APIs respect group-level access controls
Evidence notes
Vulnerability description and advisory ID MMSA-2026-00602 sourced from official CVE record and NVD entry. CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N confirms network attack vector with low attack complexity, requiring low privileges and no user interaction, with impact limited to integrity. CWE-863 classification provided by [email protected]. Affected versions explicitly enumerated in CVE description.
Official resources
-
CVE-2026-6341 CVE record
CVE.org
-
CVE-2026-6341 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-18