VYPR
Vypr IntelligenceAI-generatedJun 22, 2026· 6 CVEs

Mattermost: Six Vulnerabilities in User Management, Plugins, and Sessions Disclosed Together

Six vulnerabilities disclosed in Mattermost on June 22, 2026, affecting user management, plugins, and session handling across multiple versions.

Key findings

  • Six Mattermost vulnerabilities disclosed on June 22, 2026, impacting core platform and plugins.
  • Improper permission checks allow User Managers to demote or deactivate bot accounts (CVE-2026-8823, CVE-2026-8074).
  • Jira plugin vulnerabilities include IDOR in subscription edits and unauthenticated callbacks (CVE-2026-6062, CVE-2026-6673).
  • Global session revocation fails to invalidate WebSocket connections, allowing continued authentication (CVE-2026-9162).
  • GitLab plugin allows non-admins to modify default instance configuration (CVE-2026-5139).
  • Multiple versions affected, including 11.7.x, 11.6.x, 11.5.x, and 10.11.x.

On June 22, 2026, Mattermost released security advisories detailing six vulnerabilities discovered in its platform and associated plugins. These vulnerabilities, disclosed on the same day, span various components including user management, plugin integrations, and session handling, with several affecting multiple product versions. The disclosures highlight potential risks ranging from unauthorized account manipulation to hijacked plugin subscriptions and disrupted integrations.

Two vulnerabilities, CVE-2026-8823 and CVE-2026-8074, relate to improper permission checks in user management. Specifically, the User Manager role, which typically has user management write access but not necessarily integration management permissions, can demote bot accounts to guest status or deactivate them entirely. This bypasses intended security controls, allowing lower-privileged administrators to manipulate bot accounts in ways that should require higher privileges. These issues affect versions 11.7.x up to 11.7.0 and 10.11.x up to 10.11.17.

The Jira plugin is implicated in two separate vulnerabilities. CVE-2026-6062 describes an Insecure Direct Object Reference (IDOR) vulnerability in the subscription edit endpoint. This flaw allows an authenticated attacker to hijack subscriptions from channels they do not have access to by sending a crafted PUT request. Additionally, CVE-2026-6673 points to an unauthenticated lifecycle callback vulnerability in the Jira plugin during pending Jira Cloud installations. This could allow a remote attacker to inject a rogue shared secret, disrupting the Jira integration. Both Jira plugin vulnerabilities affect Mattermost versions 11.7.x up to 11.7.0, 11.6.x up to 11.6.2, 11.5.x up to 11.5.5, and 10.11.x up to 10.11.17.

Further impacting user sessions and integrations, CVE-2026-9162 addresses a critical flaw where global session revocation fails to invalidate active WebSocket connections. This means a user whose session has been revoked can remain authenticated and continue receiving real-time data, posing a significant security risk. This affects the same broad range of versions as the Jira plugin issues. The GitLab plugin is also affected by CVE-2026-5139, where non-administrator users can modify the default instance configuration via the /gitlab connect command, overwriting global settings without proper authorization.

Mattermost has addressed these vulnerabilities through updates. The affected versions include 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, and 10.11.x <= 10.11.17 for most issues, with specific version ranges noted in the advisories. Users are strongly advised to update to patched versions to mitigate these risks.

This batch of disclosures underscores the importance of rigorous permission validation and secure handling of plugin integrations and user sessions within collaborative platforms like Mattermost. Users should prioritize applying the available patches to safeguard their instances against unauthorized access and data manipulation.

The Mattermost advisories, MMSA-2026-00669 and related notices, provide detailed information on the affected versions and the necessary steps for remediation.

CVE-2026-8823, CVE-2026-6062, CVE-2026-6673, CVE-2026-8074, CVE-2026-9162, CVE-2026-5139.

AI-written article. Grounded in 6 CVE records listed below.