Low severity2.7NVD Advisory· Published Apr 15, 2026· Updated Apr 22, 2026

CVE-2026-27769

Description

Mattermost versions 10.11.x <= 10.11.12 fail to validate whether users were correctly owned by the correct Connected Workspace which allows a malicious remote server connected using the Conntexted Workspaces feature to change the displayed status of local users via the Connected Workspaces API.. Mattermost Advisory ID: MMSA-2026-00603

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/mattermost/mattermost-serverGo	>= 8.0.0-20250721062209-4952acea88ce, < 8.0.0-20260316060126-bc1a2b34b1f9	8.0.0-20260316060126-bc1a2b34b1f9

Affected products

Mattermost/Mattermost Server
cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
Range: >=10.11.0,<10.11.13

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-mxxh-fmjq-j6x4ghsaADVISORY
mattermost.com/security-updatesnvdVendor AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2026-27769ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.176
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000