CVE-2026-6673 · Symaro Security Advisory

Description

Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to authenticate Atlassian Connect installed callbacks, allowing a remote unauthenticated attacker to inject a rogue sharedSecret and disrupt the Jira integration via POST to /ac/installed during the pending-install window.. Mattermost Advisory ID: MMSA-2026-00654

Severity (CVSS)

Base score	6.4
Severity	Medium
Version	CVSS 3.1
Vector	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:H
Provided by	CNA

Weaknesses

CWE-306 — CWE-306: Missing Authentication for Critical Function

Affected products

Vendor	Product	Versions
Mattermost	Mattermost	11.7.0 to <=11.7.0; 11.6.0 to <=11.6.2; 11.5.0 to <=11.5.5; 10.11.0 to <=10.11.17; 11.8.0; 11.7.1; 11.6.3; 11.5.6; 10.11.18

References

https://mattermost.com/security-updates (vendor-advisory)

Authoritative sources

This page is a snapshot. For the latest enrichment and updates, view the record on CVE.org or the NVD.

Generated from the official CVE List on 22 Jun 2026 14:43 UTC.