CVE-2026-10106 in Mattermostinfo

Summary

by MITRE • 07/13/2026

Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to verify that the channel referenced in an action cookie matches the channel of the target post, which allows an authenticated user without access to a private channel to trigger interactive post actions on posts in that channel via a cookie obtained from any accessible channel.. Mattermost Advisory ID: MMSA-2026-00690

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/13/2026

This vulnerability represents a critical access control flaw in Mattermost messaging platform affecting multiple version streams including 11.7.x through 11.7.2, 11.6.x through 11.6.4, and 10.11.x through 10.11.19. The issue stems from inadequate validation of channel context within action cookies that are used to execute interactive post actions. Specifically, the system fails to verify that the channel identifier embedded in an action cookie corresponds to the actual channel containing the target post, creating a path for privilege escalation attacks.

The technical implementation flaw manifests when authenticated users exploit a channel access control bypass by leveraging cookies obtained from one channel to trigger actions on posts within another channel they should not normally have access to. This weakness directly maps to CWE-284 Access Control Bypass and aligns with ATT&CK technique T1078 Valid Accounts, where attackers abuse legitimate credentials to gain unauthorized access to restricted resources. The vulnerability occurs at the session management layer where cookie validation does not enforce proper channel scope boundaries, allowing cross-channel action execution.

The operational impact of this vulnerability extends beyond simple information disclosure as it enables malicious actors to perform interactive post actions such as button clicks, menu selections, and other user interface interactions within private channels they do not own or have explicit access rights to. This could potentially lead to unauthorized modifications, data manipulation, or even privilege escalation within the messaging environment. Attackers could exploit this to execute automated actions against sensitive private channels, undermining the fundamental security model of channel-based access control that Mattermost relies upon for maintaining secure communication boundaries.

Mitigation strategies should focus on implementing robust cookie validation mechanisms that strictly enforce channel context matching between action cookies and target posts. Organizations should immediately upgrade to patched versions of Mattermost where available, while implementing additional monitoring for unusual interactive post activity patterns. Security teams should also consider implementing network-level controls to detect anomalous cross-channel cookie usage and establish regular access control reviews to identify potential exploitation attempts. The vulnerability highlights the importance of maintaining proper session scope validation in web applications and underscores the necessity of following secure coding practices as outlined in OWASP Top Ten and NIST cybersecurity frameworks for preventing such access control bypass scenarios.

Responsible

Mattermost

Reservation

05/29/2026

Disclosure

07/13/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!