Mattermost · Mattermost · CVE-2026-6046
**Name of the Vulnerable Software and Affected Versions**
Mattermost versions prior to 11.6.2
Mattermost versions prior to 11.5.5
Mattermost versions prior to 10.11.17
**Description**
A failure to validate that a username returned during bot registration belongs to a bot account allows an unprivileged attacker to intercept private messages sent by plugins via direct message channels. This is achieved by pre-registering a user account with a predictable plugin bot username.
**Recommendations**
Update to version 11.6.2 or later.
Update to version 11.5.5 or later.
Update to version 10.11.17 or later.