CVE-2026-28759 MEDIUM

CVE-2026-28759: Insufficient authorization in shared channel membership sync allows remote cluster to remove users from arbitrary channels

Vendor Mattermost

Product Mattermost

Weakness CWE-863 · Incorrect authorization

Published May 18, 2026

Last update May 18, 2026

View on NVD All CVEs

CVSS base score

4.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate that a remote cluster has access to a channel before processing membership removal requests during shared channel membership sync, which allows a malicious remote cluster to remove any user from any channel, including private channels, via crafted membership sync messages targeting channels the remote cluster is not authorized to access. Mattermost Advisory ID: MMSA-2026-00576

Key dates

02Disclosure timeline

May 18, 2026 CVE published

May 18, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-28759 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/863.html

Related vulnerabilities

Identifiers

CVE CVE-2026-28759

CWE CWE-863

CVSS 4.3 / MEDIUM

Affected versions

Vendor Mattermost

Product Mattermost

Affected ≥ 11.5.0 and ≤ 11.5.1

Vendor Mattermost

Product Mattermost

Affected ≥ 10.11.0 and ≤ 10.11.13

Vendor Mattermost

Product Mattermost

Affected ≥ 11.4.0 and ≤ 11.4.3

CVE-2026-28759: Insufficient authorization in shared channel membership sync allows remote cluster to remove users from arbitrary channels

01Description

02Disclosure timeline

03References

04Related CVE