CVE Catalog

CVE-2026-6062

MediumCVSS 6.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.15%

5th percentile — higher than 5% of all known CVEs

Summary

Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, and 10.11.x <= 10.11.17 fail to validate channel ownership of an existing subscription before applying edits. This allows an authenticated attacker to hijack subscriptions from channels they have no access to via a crafted PUT request to the subscription edit endpoint.

Risk Assessment

An attacker could gain access to subscriptions, leading to unauthorized access to information and potential breaches of user privacy.

Recommendation

It is recommended to update Mattermost to the latest version to mitigate this vulnerability and implement additional channel ownership verification mechanisms.

Original NVD description (English source)

Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 Fail to validate channel ownership of an existing subscription before applying edits which allows an authenticated attacker to hijack subscriptions from channels they have no access to via a crafted PUT request to the subscription edit endpoint.. Mattermost Advisory ID: MMSA-2026-00650

Vulnerability data from NVD (NIST) · CISA KEV · EPSS