Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to check the manage_shared_channels permission in the /share-channel autocomplete handler, which allows an authenticated user without that permission to enumerate configured remote cluster connection metadata via slash command autocomplete.. Mattermost Advisory ID: MMSA-2026-00676

Project Subscriptions

No data.

Advisories

No advisories yet.

Fixes

Solution

Update Mattermost to versions 11.8.0, 11.7.3, 11.6.5, 10.11.20 or higher.


Workaround

No workaround given by the vendor.

References
History

Mon, 13 Jul 2026 11:00:00 +0000

Type Values Removed Values Added
Description Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to check the manage_shared_channels permission in the /share-channel autocomplete handler, which allows an authenticated user without that permission to enumerate configured remote cluster connection metadata via slash command autocomplete.. Mattermost Advisory ID: MMSA-2026-00676
Title Remote cluster metadata enumeration via /share-channel autocomplete
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}


Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-07-13T10:47:33.070Z

Reserved: 2026-05-28T11:32:33.594Z

Link: CVE-2026-9824

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses