CSRF Vulnerability in Mattermost Affecting User Authentication
CVE-2026-28741

6.8MEDIUM

Key Information:

Vendor: Mattermost
Status: Mattermost
Vendor: CVE Published:; 15 April 2026

What is CVE-2026-28741?

Certain versions of Mattermost are prone to a Cross-Site Request Forgery (CSRF) vulnerability due to inadequate validation of CSRF tokens at the authentication endpoint. This flaw can be exploited by malicious actors to hijack user sessions and modify a user's authentication method, jeopardizing account integrity. For successful exploitation, an attacker must deceive a user into accessing a malicious website. Users of Mattermost are advised to upgrade to the latest versions to mitigate this risk.

Affected Version(s)

Mattermost 10.11.0 <= 10.11.12

Mattermost 11.5.0

Mattermost 11.4.0 <= 11.4.2

References

https://mattermost.com/security-updates

vendor-advisory

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 15, 2026
Vulnerability Reserved
Mar 10, 2026

Credit

Eva Sarafianou

CVE-2026-28741 Data

JSON