PT-2026-41649 · Mattermost · Mattermost
Mr_Anksec
·
Published
2026-05-18
·
Updated
2026-05-18
·
CVE-2026-28732
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Mattermost versions prior to 11.5.2
Mattermost versions prior to 10.11.14
Mattermost versions prior to 11.4.4
Description
An issue exists where the system fails to enforce trigger-word uniqueness during the update of slash commands. This allows an authenticated team member with the Manage Own Slash Commands permission to hijack and impersonate existing system or custom slash commands. This is achieved by editing their own slash command trigger to match an already-registered trigger through the command update API.
Recommendations
Update to version 11.5.2 or later.
Update to version 10.11.14 or later.
Update to version 11.4.4 or later.
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mattermost