PatchSiren cyber security CVE debrief
CVE-2026-6343 Mattermost CVE debrief
CVE-2026-6343 is a Mattermost authorization issue published on 2026-05-18. According to the vendor/NVD record, certain Mattermost Server versions fail to correctly enforce public/private permissions, which can allow users without those permissions to access public playbooks through the /get endpoint. NVD rates the issue CVSS 3.1 4.3 (Medium), with low-privilege, network-reachable access and a confidentiality impact limited to low. The affected ranges listed in the record are 10.11.0 through 10.11.13, 11.4.0 through 11.4.3, and 11.5.0 through 11.5.1, with fixes indicated in later patch releases.
- Vendor
- Mattermost
- Product
- Mattermost Server
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-18
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-18
- Advisory updated
- 2026-05-18
Who should care
Mattermost administrators, security teams, and any organization using Mattermost Server playbooks should review this advisory, especially if users outside the intended permission set can view playbook content or if playbook access controls are relied on for internal process segregation.
Technical summary
The issue is classified as CWE-863 (incorrect authorization). In the affected Mattermost Server versions, access control checks for public/private playbook permissions are incomplete, allowing a user who lacks the intended permission to reach public playbooks via /get. The official record identifies this as a network-accessible issue requiring low privileges and no user interaction, but with only low confidentiality impact and no integrity or availability impact listed in the CVSS vector.
Defensive priority
Medium. The score is moderate and the impact is limited, but the flaw directly affects authorization boundaries. Prioritize remediation if playbooks contain operational, internal, or sensitive process information.
Recommended defensive actions
- Upgrade Mattermost Server to a fixed release outside the affected ranges listed in the advisory.
- Verify that playbook public/private permission settings match your intended access model after upgrading.
- Review any workflows or integrations that rely on /get playbook access to confirm they do not expose content broadly.
- Check authorization and access-control logs for unexpected playbook retrieval activity around the affected endpoint.
- If immediate upgrading is not possible, restrict Mattermost access to trusted users and networks until remediation is complete.
Evidence notes
Evidence is limited to the official CVE/NVD record and the vendor advisory link. The NVD entry lists Mattermost Server as affected, gives the vulnerable version ranges, and tags the weakness as CWE-863. The CVE was published on 2026-05-18 and modified later the same day; no KEV inclusion is indicated in the supplied data.
Official resources
-
CVE-2026-6343 CVE record
CVE.org
-
CVE-2026-6343 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
Vendor-advised and officially recorded on 2026-05-18. The supplied data references Mattermost's security updates page and an NVD entry marked Analyzed; no known exploitation or KEV listing is included in the provided corpus.