Mattermost Discloses 7 CVEs: Privilege Escalation, Token Theft, and Federated File Write

Key findings

• Two High-severity bugs: admin privilege escalation (CVE-2026-7387, CVSS 8.8) and arbitrary file write via federated file sync (CVE-2026-6961, CVSS 7.6)
• Three privilege-role logic flaws allow escalation or open-invite bypass without proper permissions
• A federation token theft bug (CVE-2026-7184) lets authenticated users steal remote cluster tokens via PATCH
• Bot-registration validation gap (CVE-2026-6046) enables DM interception from plugins
• All seven CVEs fixed in one coordinated release: 11.6.2 / 11.5.5 / 10.11.17

On June 12, 2026, Mattermost disclosed seven security vulnerabilities spanning privilege escalation, privilege misuse, credential theft, arbitrary file write, and information leaks across supported release lines. The batch was published as a coordinated security bulletin by Mattermost's product security team, covering versions 10.11.x, 11.5.x, and 11.6.x. Two of the bugs earned a High severity rating, highlighting the risk of privilege escalation and remote file write in federated deployments.

The most severe bug is CVE-2026-7387 (CVSS 8.8, High), a missing authorization check when setting the scheme_admin flag on group syncable link and patch endpoints. A user with group-link permissions can escalate themselves and other group members to admin roles — effectively a full privilege escalation bypassing role-management authorization. This affects all three release lines. The second High-severity issue is CVE-2026-6961 (CVSS 7.6, High), which arises from unsanitized FileInfo.Name data received from federated peers during shared channel file sync. An attacker who controls a federated server can write files to arbitrary locations on the target server, enabling remote code execution or configuration tampering in federated Mattermost deployments.

Three Medium-severity flaws involve privilege-role logic gaps. CVE-2026-6739 (CVSS 6.7) lets authenticated users with delegated user-management permissions patch protected default system roles without system-level authorization, allowing privilege escalation by altering built-in role permissions. CVE-2026-6689 (CVSS 4.3) is a missing enforcement of PermissionInviteUser when setting AllowOpenInvite or AllowedDomains at team creation time (the check only ran on update/patch). A user with PermissionCreateTeam but not invite permission could create open-invite teams. CVE-2026-7184 (CVSS 6.5) involves an unserialized response from the Remote Cluster API on PATCH operations: an authenticated user with manage_secure_connections permission can obtain remote cluster authentication tokens by crafting a PATCH request.

Two bugs target information integrity. CVE-2026-6046 (CVSS 5.3) fails to validate that a username returned during bot registration belongs to a bot account, letting an unprivileged attacker pre-register a username matching a plugin's bot handle to intercept private messages sent by plugins via direct message channels. CVE-2026-3433 (CVSS 4.3) leaks role_updated websocket events to members outside the affected team or channel, meaning a guest-level attacker can observe permission scheme changes for private teams and channels.

Mattermost has addressed the full batch in releases 11.6.2, 11.5.5, and 10.11.17. Users running any version 11.6.x ≤ 11.6.1, 11.5.x ≤ 11.5.4, or 10.11.x ≤ 10.11.16 are advised to upgrade immediately. No in-the-wild exploitation has been reported at the time of disclosure.

The patch covers all seven CVEs in a single point-release per branch. The breadth of the batch — spanning authorization, sanitization, websocket disclosure, and bot-handling logic — underscores the value of Mattermost's coordinated release process. Teams using shared channels (federated file sync) or delegating user-management roles should prioritize the update given the two High-severity bugs that can lead to admin takeover and remote file write.