CVE-2026-9162 Mattermost CVE debrief

Who should care

Administrators and users of Mattermost Server versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, and 10.11.x <= 10.11.17 should be aware of this vulnerability and take necessary actions to mitigate it. This includes applying patches or updates provided by Mattermost and ensuring that WebSocket connections are properly invalidated during session revocation.

Technical summary

The vulnerability is caused by the failure to invalidate cached authentication state for active WebSocket connections during global session revocation. This allows an attacker to exploit an existing WebSocket connection and continue receiving real-time events without re-authenticating. The issue affects multiple versions of Mattermost Server, including 11.7.x, 11.6.x, 11.5.x, and 10.11.x. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N.

Defensive priority

Medium priority should be given to patching or updating affected Mattermost Server versions. Administrators should ensure that WebSocket connections are properly invalidated during session revocation and consider implementing additional security measures to prevent exploitation.

Recommended defensive actions

• Apply patches or updates provided by Mattermost to fix the vulnerability.
• Ensure that WebSocket connections are properly invalidated during session revocation.
• Monitor WebSocket connections for suspicious activity.
• Implement additional security measures to prevent exploitation, such as WebSocket connection validation.
• Review and update incident response plans to address potential exploitation.

Evidence notes

The vulnerability is documented in the CVE-2026-9162 record and the Mattermost Advisory ID: MMSA-2026-00664. The NVD provides detailed information on the vulnerability, including its CVSS score and vector. The vendor advisory is available on the Mattermost website.

Official resources