CVE-2026-7184

Summary

Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15 fail to sanitize the Remote Cluster API response on PATCH operations, which allows authenticated users with the {{manage_secure_connections}} permission to obtain remote cluster authentication tokens via a PATCH request to the remote cluster endpoint.. Mattermost Advisory ID: MMSA-2026-00662

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost11.6.0 <= 11.6.1affected
MattermostMattermost11.5.0 <= 11.5.4affected
MattermostMattermost10.11.0 <= 10.11.15affected
MattermostMattermost11.7.0unaffected
MattermostMattermost11.6.2unaffected
MattermostMattermost11.5.5unaffected
MattermostMattermost10.11.17unaffected

Weaknesses

  • CWE-201: CWE-201: Insertion of Sensitive Information Into Sent Data

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References