CVE Catalog

CVE-2026-7184

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.25%

16th percentile — higher than 16% of all known CVEs

Summary

Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, and 10.11.x <= 10.11.15 fail to sanitize the Remote Cluster API response on PATCH operations. This allows authenticated users with the {{manage_secure_connections}} permission to obtain remote cluster authentication tokens via a PATCH request to the remote cluster endpoint.

Risk Assessment

The organization may be exposed to unauthorized access to authentication tokens, potentially leading to the compromise of remote clusters and data. This poses a serious security threat to the system.

Recommendation

It is recommended to update Mattermost to the latest version to mitigate this vulnerability. Additionally, consider restricting access to the {{manage_secure_connections}} permission for users.

Original NVD description (English source)

Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15 fail to sanitize the Remote Cluster API response on PATCH operations, which allows authenticated users with the {{manage_secure_connections}} permission to obtain remote cluster authentication tokens via a PATCH request to the remote cluster endpoint.. Mattermost Advisory ID: MMSA-2026-00662

Vulnerability data from NVD (NIST) · CISA KEV · EPSS