Permission Inspection Flaw in Mattermost Affects User Data Exposure
CVE-2026-9824
4.3MEDIUM
What is CVE-2026-9824?
Mattermost has identified a vulnerability in versions 11.7.x up to 11.7.2, 11.6.x up to 11.6.4, and 10.11.x up to 10.11.19 that improperly checks the 'manage_shared_channels' permission within the /share-channel autocomplete handler. This oversight enables authenticated users, without the appropriate permissions, to exploit the slash command autocomplete functionality to enumerate remote cluster connection metadata. As a result, sensitive system data could be unintentionally exposed, leading to potential security risks.
Affected Version(s)
Mattermost 11.7.0 <= 11.7.2
Mattermost 11.6.0 <= 11.6.4
Mattermost 10.11.0 <= 10.11.19