VYPR
Medium severity4.3NVD Advisory· Published May 18, 2026· Updated May 19, 2026

CVE-2026-28732

CVE-2026-28732

Description

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 Fail to enforce slash command trigger-word uniqueness during command updates which allows an authenticated team member with Manage Own Slash Commands permission to hijack and impersonate existing system or custom slash commands via editing their own slash command trigger to an already-registered trigger through the command update API. Mattermost Advisory ID: MMSA-2026-00597

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/mattermost/mattermost/server/v8Go
>= 11.5.0, < 11.5.211.5.2
github.com/mattermost/mattermost/server/v8Go
>= 10.11.0, < 10.11.1410.11.14
github.com/mattermost/mattermost/server/v8Go
>= 11.4.0, < 11.4.411.4.4
github.com/mattermost/mattermost/server/v8Go
< 8.0.0-20260306123948-f5fe8ded6b638.0.0-20260306123948-f5fe8ded6b63
github.com/mattermost/mattermost-serverGo
< 5.3.2-0.20260306123948-f5fe8ded6b635.3.2-0.20260306123948-f5fe8ded6b63

Affected products

2
  • cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*range: >=10.11.0,<10.11.14
    • (no CPE)range: >= 11.5.0, <= 11.5.1 OR >= 10.11.0, <= 10.11.13 OR >= 11.4.0, <= 11.4.3

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.