CVE-2026-5163

Vulnerability

Overview

CVE-2026-5163 is a medium-severity vulnerability in Mattermost versions 11.5.x up to and including 11.5.1. The application fails to verify channel membership when processing AI-assisted message rewrites of AI-assisted messages. This missing authorization check allows an authenticated attacker to read the content of threads in private channels and direct messages they do not have access to by sending a crafted request to the post rewrite endpoint [1].

Exploitation

An attacker must be authenticated to the Mattermost instance. No special privileges are required beyond a valid user account. The attack is carried out by crafting a request to the post rewrite endpoint that references a thread in a private channel or direct message conversation the attacker is not a member of. Because the endpoint does not validate that the requesting user belongs to the target channel, the attacker can retrieve the thread content [1].

Impact

Successful exploitation allows the attacker to read the contents of private threads and direct messages, leading to unauthorized disclosure of sensitive information. This could include confidential business communications, personal messages, or other data that should be restricted to channel members [1].

Mitigation

Mattermost has addressed this issue in a security update. Users should upgrade to a patched version of Mattermost (11.5.2 or later) as recommended in the Mattermost security advisory MMSA-2026-00645 [1]. No workarounds have been publicly documented.