Access Control Flaw in Mattermost Messaging Platform
CVE-2026-6062

6.4MEDIUM

Key Information:

Vendor: Mattermost
Status: Mattermost
Vendor: CVE Published:; 22 June 2026

What is CVE-2026-6062?

A significant access control vulnerability in Mattermost allows authenticated users to manipulate channel subscriptions. Specifically, versions of Mattermost prior to 11.7.0, 11.6.2, 11.5.5, and 10.11.17 fail to adequately validate channel ownership before applying edits to subscriptions. This flaw enables an attacker to hijack subscriptions from channels they are not authorized to access by sending a crafted PUT request to the subscription edit endpoint, posing serious risks to user confidentiality and data integrity.

Affected Version(s)

Mattermost 11.7.0

Mattermost 11.6.0 <= 11.6.2

Mattermost 11.5.0 <= 11.5.5

References

https://mattermost.com/security-updates

vendor-advisory

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
Apr 10, 2026

Credit

0hmz

CVE-2026-6062 Data

JSON