CVE-2026-7184
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk16th percentile — higher than 16% of all known CVEs
Summary
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, and 10.11.x <= 10.11.15 fail to sanitize the Remote Cluster API response on PATCH operations. This allows authenticated users with the {{manage_secure_connections}} permission to obtain remote cluster authentication tokens via a PATCH request to the remote cluster endpoint.
Risk Assessment
The organization may be exposed to unauthorized access to authentication tokens, potentially leading to the compromise of remote clusters and data. This poses a serious security threat to the system.
Recommendation
It is recommended to update Mattermost to the latest version to mitigate this vulnerability. Additionally, consider restricting access to the {{manage_secure_connections}} permission for users.
Original NVD description (English source)
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15 fail to sanitize the Remote Cluster API response on PATCH operations, which allows authenticated users with the {{manage_secure_connections}} permission to obtain remote cluster authentication tokens via a PATCH request to the remote cluster endpoint.. Mattermost Advisory ID: MMSA-2026-00662

