Permission Inspection Flaw in Mattermost Affects User Data Exposure
CVE-2026-9824

4.3MEDIUM

Key Information:

Vendor

Mattermost

Vendor
CVE Published:
13 July 2026

What is CVE-2026-9824?

Mattermost has identified a vulnerability in versions 11.7.x up to 11.7.2, 11.6.x up to 11.6.4, and 10.11.x up to 10.11.19 that improperly checks the 'manage_shared_channels' permission within the /share-channel autocomplete handler. This oversight enables authenticated users, without the appropriate permissions, to exploit the slash command autocomplete functionality to enumerate remote cluster connection metadata. As a result, sensitive system data could be unintentionally exposed, leading to potential security risks.

Affected Version(s)

Mattermost 11.7.0 <= 11.7.2

Mattermost 11.6.0 <= 11.6.4

Mattermost 10.11.0 <= 10.11.19

References

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

adamsec-dev
.