Mattermost doesn't validate whether users were correctly owned by the correct Connected Workspace

GHSA-mxxh-fmjq-j6x4 · CVE-2026-27769

Published Apr 17, 2026 · Modified May 5, 2026

Description

Mattermost versions 10.11.x <= 10.11.12 fail to validate whether users were correctly owned by the correct Connected Workspace which allows a malicious remote server connected using the Conntexted Workspaces feature to change the displayed status of local users via the Connected Workspaces API. Mattermost Advisory ID: MMSA-2026-00603.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-27769
PACKAGE https://github.com/mattermost/mattermost
WEB https://mattermost.com/security-updates

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes