CVE-2026-6062
MediumCVSS 6.4Exploitation Probability (EPSS)
Low risk5th percentile — higher than 5% of all known CVEs
Summary
Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, and 10.11.x <= 10.11.17 fail to validate channel ownership of an existing subscription before applying edits. This allows an authenticated attacker to hijack subscriptions from channels they have no access to via a crafted PUT request to the subscription edit endpoint.
Risk Assessment
An attacker could gain access to subscriptions, leading to unauthorized access to information and potential breaches of user privacy.
Recommendation
It is recommended to update Mattermost to the latest version to mitigate this vulnerability and implement additional channel ownership verification mechanisms.
Original NVD description (English source)
Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 Fail to validate channel ownership of an existing subscription before applying edits which allows an authenticated attacker to hijack subscriptions from channels they have no access to via a crafted PUT request to the subscription edit endpoint.. Mattermost Advisory ID: MMSA-2026-00650

