Authentication Caching Issue in Mattermost Products
CVE-2026-9162

4.3MEDIUM

Key Information:

Vendor: Mattermost
Status: Mattermost
Vendor: CVE Published:; 22 June 2026

What is CVE-2026-9162?

Certain versions of Mattermost exhibit a flaw in the handling of WebSocket connections. The application fails to invalidate cached authentication states during global session revocations. This imperfection allows users with active WebSocket connections to remain authenticated, thus continuing to receive real-time events even after a session has been revoked. This oversight persists until the cached session timeouts or the client decides to reconnect, posing significant risks regarding unauthorized information access in the context of real-time communications.

Affected Version(s)

Mattermost 11.7.0

Mattermost 11.6.0 <= 11.6.2

Mattermost 11.5.0 <= 11.5.5

References

https://mattermost.com/security-updates

vendor-advisory

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
May 21, 2026

Credit

winfunc

CVE-2026-9162 Data

JSON