CVE-2026-28732 MEDIUM

CVE-2026-28732: Slash command trigger-word update allowed command hijacking

Vendor Mattermost
Product Mattermost
Weakness CWE-863 · Incorrect authorization
Published May 18, 2026
Last update May 18, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 Fail to enforce slash command trigger-word uniqueness during command updates which allows an authenticated team member with Manage Own Slash Commands permission to hijack and impersonate existing system or custom slash commands via editing their own slash command trigger to an already-registered trigger through the command update API. Mattermost Advisory ID: MMSA-2026-00597

Key dates

02Disclosure timeline

May 18, 2026 CVE published
May 18, 2026 Record updated