CVE-2026-9162 · Symaro Security Advisory

Description

Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to invalidate cached authentication state for active WebSocket connections during global session revocation, which allows a user with an existing WebSocket connection to remain authenticated and continue receiving real-time events until the cached session expires or the client reconnects.. Mattermost Advisory ID: MMSA-2026-00664

Severity (CVSS)

Base score	4.3
Severity	Medium
Version	CVSS 3.1
Vector	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Provided by	CNA

Weaknesses

CWE-613 — CWE-613: Insufficient Session Expiration

Affected products

Vendor	Product	Versions
Mattermost	Mattermost	11.7.0 to <=11.7.0; 11.6.0 to <=11.6.2; 11.5.0 to <=11.5.5; 10.11.0 to <=10.11.17; 11.8.0; 11.7.1; 11.6.3; 11.5.6; 10.11.18

References

https://mattermost.com/security-updates (vendor-advisory)

Authoritative sources

This page is a snapshot. For the latest enrichment and updates, view the record on CVE.org or the NVD.

Generated from the official CVE List on 22 Jun 2026 14:43 UTC.