Medium severity4.3NVD Advisory· Published May 18, 2026· Updated May 19, 2026
CVE-2026-28732
CVE-2026-28732
Description
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 Fail to enforce slash command trigger-word uniqueness during command updates which allows an authenticated team member with Manage Own Slash Commands permission to hijack and impersonate existing system or custom slash commands via editing their own slash command trigger to an already-registered trigger through the command update API. Mattermost Advisory ID: MMSA-2026-00597
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost/server/v8Go | >= 11.5.0, < 11.5.2 | 11.5.2 |
github.com/mattermost/mattermost/server/v8Go | >= 10.11.0, < 10.11.14 | 10.11.14 |
github.com/mattermost/mattermost/server/v8Go | >= 11.4.0, < 11.4.4 | 11.4.4 |
github.com/mattermost/mattermost/server/v8Go | < 8.0.0-20260306123948-f5fe8ded6b63 | 8.0.0-20260306123948-f5fe8ded6b63 |
github.com/mattermost/mattermost-serverGo | < 5.3.2-0.20260306123948-f5fe8ded6b63 | 5.3.2-0.20260306123948-f5fe8ded6b63 |
Affected products
2cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*range: >=10.11.0,<10.11.14
- (no CPE)range: >= 11.5.0, <= 11.5.1 OR >= 10.11.0, <= 10.11.13 OR >= 11.4.0, <= 11.4.3
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-wvcv-9xpm-7mqcghsaADVISORY
- mattermost.com/security-updatesnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-28732ghsaADVISORY
- github.com/mattermost/mattermost/commit/f5fe8ded6b633db7804ae25b42ea12ce635d6ea6ghsaWEB
News mentions
0No linked articles in our index yet.