Host Header Spoofing Vulnerability in Mattermost by Mattermost
CVE-2026-6333

3.5LOW

Key Information:

Vendor: Mattermost
Status: Mattermost
Vendor: CVE Published:; 18 May 2026

What is CVE-2026-6333?

Mattermost versions 11.5.x up to 11.5.1 and 10.11.x up to 10.11.13 have a vulnerability due to insufficient validation of the Host header when generating response URLs for custom slash commands. This flaw could allow an authenticated attacker to redirect responses to a malicious server by exploiting a spoofed Host header, posing a significant security risk.

Affected Version(s)

Mattermost 11.5.0 <= 11.5.1

Mattermost 10.11.0 <= 10.11.13

Mattermost 11.6.0

References

https://mattermost.com/security-updates

vendor-advisory

CVSS V3.1

Score:

3.5

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 18, 2026
Vulnerability Reserved
Apr 15, 2026

Credit

Juho Forsén

CVE-2026-6333 Data

JSON