Vulnerability in Mattermost Bot Registration Process Affects User Privacy
CVE-2026-6046

5.3MEDIUM

Key Information:

Vendor

Mattermost

Vendor
CVE Published:
12 June 2026

What is CVE-2026-6046?

A flaw exists in Mattermost where certain versions fail to validate that a username returned during the bot registration process is associated with a bot account. This allows an unprivileged attacker to pre-register a user account using a predictable bot username, potentially intercepting private messages sent through direct message channels by plugins. This creates a significant risk of unauthorized access to sensitive communications within the platform.

Affected Version(s)

Mattermost 11.6.0 <= 11.6.1

Mattermost 11.5.0 <= 11.5.4

Mattermost 10.11.0 <= 10.11.15

References

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

insomnia1102
.