PatchSiren cyber security CVE debrief
CVE-2026-7184 Mattermost CVE debrief
CVE-2026-7184 is a medium-severity vulnerability in Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, and 10.11.x <= 10.11.15. The issue allows an attacker with the manage_secure_connections permission to obtain remote cluster authentication tokens via a PATCH request to the remote cluster endpoint due to a failure to sanitize the Remote Cluster API response on PATCH operations.
- Vendor
- Mattermost
- Product
- Unknown
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, and 10.11.x <= 10.11.15, especially those with the manage_secure_connections permission.
Technical summary
The vulnerability has a CVSS score of 6.5 and is classified as CWE-201. Mattermost has provided an advisory (MMSA-2026-00662) for this issue.
Defensive priority
Medium
Recommended defensive actions
- Update to a patched version of Mattermost: 11.6.2 or later, 11.5.5 or later, and 10.11.16 or later.
- Restrict the manage_secure_connections permission to only trusted users.
Evidence notes
The CVE was published and modified on 2026-06-12T17:16:27.530Z. The vendor is identified as Unknown Vendor with low confidence, but evidence suggests it is Mattermost.
Official resources
-
CVE-2026-7184 CVE record
CVE.org
-
CVE-2026-7184 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-7184 was published on 2026-06-12T17:16:27.530Z.