CVE-2026-28732

MEDIUM4.3EPSS 0.03%

Mattermost doesn't enforce slash command trigger-word uniqueness during command updates

Published: 5/18/2026Modified: 6/1/2026

Description

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 Fail to enforce slash command trigger-word uniqueness during command updates which allows an authenticated team member with Manage Own Slash Commands permission to hijack and impersonate existing system or custom slash commands via editing their own slash command trigger to an already-registered trigger through the command update API. Mattermost Advisory ID: MMSA-2026-00597

Affected packages (2)

Go/github.com/mattermost/mattermost-serverfrom 0, < 5.3.2-0.20260306123948-f5fe8ded6b63
Go/github.com/mattermost/mattermost/server/v8>= 11.5.0, < 11.5.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-28732
PATCHhttps://github.com/mattermost/mattermost
WEBhttps://github.com/mattermost/mattermost/commit/f5fe8ded6b633db7804ae25b42ea12ce635d6ea6
WEBhttps://mattermost.com/security-updates