CVE-2026-28735
EUVD-2026-3146522.05.2026, 17:16
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate the OAuth token scope on the callback which allows an authenticated Mattermost user to gain access to private repositories via modifying the scope parameter in the GitHub authorization URL.. Mattermost Advisory ID: MMSA-2026-00628Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| mattermost | mattermost_server | 10.11.0 ≤ 𝑥 < 10.11.15 |
| mattermost | mattermost_server | 11.4.0 ≤ 𝑥 < 11.4.5 |
| mattermost | mattermost_server | 11.5.0 ≤ 𝑥 < 11.5.4 |
| mattermost | mattermost_server | 11.6.0 ≤ 𝑥 < 11.6.1 |
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
| Vendor | Product | Version | Source |
|---|---|---|---|
| mattermost | mattermost | 𝑥 ≤ 11.6.0 | CNA |
| mattermost | mattermost | 11.5.0 ≤ 𝑥 ≤ 11.5.3 | CNA |
| mattermost | mattermost | 11.4.0 ≤ 𝑥 ≤ 11.4.4 | CNA |
| mattermost | mattermost | 10.11.0 ≤ 𝑥 ≤ 10.11.14 | CNA |
References