CVE-2026-28759

Name of the Vulnerable Software and Affected Versions Mattermost versions 11.5.0 through 11.5.1 Mattermost versions 10.11.0 through 10.11.13 Mattermost versions 11.4.0 through 11.4.3

Description An issue exists during shared channel membership sync where the system fails to validate if a remote cluster has access to a channel before processing membership removal requests. This allows a malicious remote cluster to remove any user from any channel, including private channels, by sending crafted membership sync messages targeting channels the remote cluster is not authorized to access.

Recommendations Update Mattermost versions 11.5.0 through 11.5.1 to a version newer than 11.5.1. Update Mattermost versions 10.11.0 through 10.11.13 to a version newer than 10.11.13. Update Mattermost versions 11.4.0 through 11.4.3 to a version newer than 11.4.3.