CVE-2026-27656

Name of the Vulnerable Software and Affected Versions Mattermost versions 11.4.0 and earlier, 11.3.1 and earlier, 11.2.3 and earlier, 10.11.11 and earlier

Description The software does not properly validate user identity within the OpenID IsSameUser() comparison logic. This flaw, stemming from overly permissive substring matching in the user discovery flow, could allow an attacker to compromise user accounts.

Recommendations Update Mattermost to a version later than 11.4.0. Update Mattermost to a version later than 11.3.1. Update Mattermost to a version later than 11.2.3. Update Mattermost to a version later than 10.11.11.