CVE-2026-6341

Vulnerability

Mattermost Plugins versions <=11.5, 11.1.5, 10.13.11, and 11.3.4.0 lack API-level checks on which groups a user can create issues or attach comments to [1]. This allows a user who is a member of multiple groups to bypass the intended group-level access controls by sending direct API requests to a locked group [1].

Exploitation

An attacker must be an authenticated user and a member of at least two groups, one of which is a locked group (where issue creation or comment attachment is restricted) [1]. The attacker can then craft direct API requests to create issues or attach comments to the locked group, bypassing the UI-level restrictions that would normally prevent such actions [1]. No additional privileges or user interaction beyond authentication are required.

Impact

Successful exploitation allows the attacker to create issues or attach comments to a locked group, effectively circumventing the group's intended access restrictions [1]. This could lead to unauthorized information disclosure or disruption within the group, as the attacker can post content that should have been blocked.

Mitigation

Mattermost has released security updates to address this vulnerability. Affected users should upgrade to a fixed version as listed in the Mattermost security advisory [1]. No workaround is available; upgrading is the recommended mitigation.