Description
Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to check the manage_shared_channels permission in the /share-channel autocomplete handler, which allows an authenticated user without that permission to enumerate configured remote cluster connection metadata via slash command autocomplete.. Mattermost Advisory ID: MMSA-2026-00676
Analysis and contextual insights are available on OpenCVE Cloud.
Remediation
Vendor Solution
Update Mattermost to versions 11.8.0, 11.7.3, 11.6.5, 10.11.20 or higher.
Tracking
Sign in to view the affected projects.
Advisories
No advisories yet.
References
| Link | Providers |
|---|---|
| https://mattermost.com/security-updates |
|
History
Mon, 13 Jul 2026 11:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to check the manage_shared_channels permission in the /share-channel autocomplete handler, which allows an authenticated user without that permission to enumerate configured remote cluster connection metadata via slash command autocomplete.. Mattermost Advisory ID: MMSA-2026-00676 | |
| Title | Remote cluster metadata enumeration via /share-channel autocomplete | |
| Weaknesses | CWE-862 | |
| References |
| |
| Metrics |
cvssV3_1
|
Subscriptions
No data.
Status: PUBLISHED
Assigner: Mattermost
Published:
Updated: 2026-07-13T10:47:33.070Z
Reserved: 2026-05-28T11:32:33.594Z
Link: CVE-2026-9824
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses