CVE Catalog

CVE-2026-6046

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.19%

8th percentile — higher than 8% of all known CVEs

Summary

Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, and 10.11.x <= 10.11.16 fail to validate that a username returned during bot registration belongs to a bot account. This allows an unprivileged attacker to intercept private messages sent by plugins via direct message channels by pre-registering a user account with a predictable plugin bot username.

Risk Assessment

An attacker could gain access to private messages, leading to a breach of data confidentiality and potential information leaks within the organization.

Recommendation

It is recommended to update Mattermost to the latest version to mitigate this vulnerability and implement additional verification mechanisms for bot accounts.

Original NVD description (English source)

Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to validate that a username returned during bot registration belongs to a bot account, which allows an unprivileged attacker to intercept private messages sent by plugins via direct message channels by pre-registering a user account with a predictable plugin bot username.. Mattermost Advisory ID: MMSA-2026-00649

Vulnerability data from NVD (NIST) · CISA KEV · EPSS