CVE-2026-9162
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk10th percentile — higher than 10% of all known CVEs
Summary
Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, and 10.11.x <= 10.11.17 fail to invalidate cached authentication state for active WebSocket connections during global session revocation. This allows a user with an existing WebSocket connection to remain authenticated and continue receiving real-time events until the cached session expires or the client reconnects.
Risk Assessment
The risk is that users may remain authenticated even after session revocation, potentially leading to unauthorized access to system data and functions.
Recommendation
It is recommended to upgrade to the latest version of Mattermost to mitigate this vulnerability and to monitor active WebSocket connections for potential abuse.
Original NVD description (English source)
Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to invalidate cached authentication state for active WebSocket connections during global session revocation, which allows a user with an existing WebSocket connection to remain authenticated and continue receiving real-time events until the cached session expires or the client reconnects.. Mattermost Advisory ID: MMSA-2026-00664

