CVE-2026-6062 · Symaro Security Advisory

Description

Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 Fail to validate channel ownership of an existing subscription before applying edits which allows an authenticated attacker to hijack subscriptions from channels they have no access to via a crafted PUT request to the subscription edit endpoint.. Mattermost Advisory ID: MMSA-2026-00650

Severity (CVSS)

Base score	6.4
Severity	Medium
Version	CVSS 3.1
Vector	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L
Provided by	CNA

Weaknesses

CWE-639 — CWE-639: Authorization Bypass Through User-Controlled Key

Affected products

Vendor	Product	Versions
Mattermost	Mattermost	11.7.0 to <=11.7.0; 11.6.0 to <=11.6.2; 11.5.0 to <=11.5.5; 10.11.0 to <=10.11.17; 11.8.0; 11.7.1; 11.6.3; 11.5.6; 10.11.18

References

https://mattermost.com/security-updates (vendor-advisory)

Authoritative sources

This page is a snapshot. For the latest enrichment and updates, view the record on CVE.org or the NVD.

Generated from the official CVE List on 22 Jun 2026 14:43 UTC.