Analysis and contextual insights are available on OpenCVE Cloud.
Vendor Solution
Update Mattermost to versions 11.8.0, 11.7.3, 11.6.5, 10.11.20 or higher.
Tracking
Sign in to view the affected projects.
No advisories yet.
| Link | Providers |
|---|---|
| https://mattermost.com/security-updates |
|
Mon, 13 Jul 2026 15:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Mon, 13 Jul 2026 09:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Mattermost
Mattermost mattermost |
|
| Vendors & Products |
Mattermost
Mattermost mattermost |
Mon, 13 Jul 2026 08:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to validate that an assigned incoming webhook user has access to the target team or channel, which allows a requester with webhook management permissions to create posts or direct messages attributed to another user via crafted incoming webhook configuration and payloads.. Mattermost Advisory ID: MMSA-2026-00683 | |
| Title | Incoming webhook user attribution via unvalidated webhook owner | |
| Weaknesses | CWE-639 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: Mattermost
Published:
Updated: 2026-07-13T14:45:16.207Z
Reserved: 2026-05-27T13:46:27.399Z
Link: CVE-2026-9708
Updated: 2026-07-13T14:44:59.987Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-13T17:30:04Z