CVE-2026-28759
MEDIUM4.3EPSS 0.03%Mattermost does not verify remote cluster channel access when processing shared channel membership removals
發布日:2026/5/18修改日:2026/6/1
描述
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate that a remote cluster has access to a channel before processing membership removal requests during shared channel membership sync, which allows a malicious remote cluster to remove any user from any channel, including private channels, via crafted membership sync messages targeting channels the remote cluster is not authorized to access. Mattermost Advisory ID: MMSA-2026-00576.
受影響套件(2)
- Go/github.com/mattermost/mattermost-serverfrom 0, < 5.3.2-0.20260216150504-8738f8c4b3d4
- Go/github.com/mattermost/mattermost/server/v8>= 11.5.0, < 11.5.2
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |