Vulnerability in Mattermost Bot Registration Process Affects User Privacy
CVE-2026-6046
5.3MEDIUM
What is CVE-2026-6046?
A flaw exists in Mattermost where certain versions fail to validate that a username returned during the bot registration process is associated with a bot account. This allows an unprivileged attacker to pre-register a user account using a predictable bot username, potentially intercepting private messages sent through direct message channels by plugins. This creates a significant risk of unauthorized access to sensitive communications within the platform.
Affected Version(s)
Mattermost 11.6.0 <= 11.6.1
Mattermost 11.5.0 <= 11.5.4
Mattermost 10.11.0 <= 10.11.15