CVE-2026-9708 in Mattermost
Summary
by MITRE • 07/13/2026
Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to validate that an assigned incoming webhook user has access to the target team or channel, which allows a requester with webhook management permissions to create posts or direct messages attributed to another user via crafted incoming webhook configuration and payloads.. Mattermost Advisory ID: MMSA-2026-00683
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/13/2026
This vulnerability in Mattermost represents a critical access control flaw that undermines the platform's security model through insufficient validation of webhook user assignments. The issue affects multiple version streams including 11.7.x up to 11.7.2, 11.6.x up to 11.6.4, and 10.11.x up to 10.11.19, indicating a widespread problem that has persisted across several release cycles. The vulnerability stems from the failure to implement proper authorization checks when processing incoming webhook configurations, specifically neglecting to verify whether the designated user account possesses legitimate access rights to the target team or channel.
The technical flaw manifests when an attacker with webhook management permissions crafts malicious incoming webhook configurations that reference user accounts which they do not have access to. This misconfiguration allows the system to process posts or direct messages as if they originated from the assigned user, effectively enabling privilege escalation and impersonation attacks. The vulnerability operates at the intersection of authentication and authorization controls, where the platform accepts configuration parameters without validating the underlying permissions of the referenced users. This represents a classic case of inadequate input validation and access control enforcement that aligns with CWE-285, which addresses improper authorization in software systems.
The operational impact of this vulnerability extends beyond simple impersonation, as it can enable attackers to bypass security controls designed to protect sensitive communications and data within Mattermost teams and channels. An attacker could potentially create posts in restricted channels or send direct messages that appear to originate from trusted team members, leading to social engineering attacks, information disclosure, or disruption of team communications. The vulnerability is particularly dangerous because it allows malicious actors to leverage legitimate webhook management permissions to perform unauthorized actions, making detection more challenging as the activities appear to come from authorized users.
Organizations using affected Mattermost versions face significant security risks including potential data breaches, unauthorized access to sensitive channels, and compromise of user trust within team environments. The vulnerability enables attackers to create false narratives within communication platforms that are typically considered secure, undermining the integrity of the entire system. From an attack perspective, this represents a low-effort, high-impact vector that requires only webhook management privileges to exploit, making it particularly concerning for organizations with broad webhook administration permissions.
The recommended mitigations include immediate patching of affected Mattermost versions to the latest stable releases that contain the necessary authorization checks. Organizations should implement strict access controls around webhook management permissions, limiting these capabilities to trusted administrators only. Additionally, monitoring and logging of webhook activities should be enhanced to detect anomalous behavior patterns that might indicate exploitation attempts. Security teams should also conduct thorough audits of existing webhook configurations to identify any potentially compromised setups. This vulnerability aligns with ATT&CK technique T1078 which covers valid accounts and privilege escalation through legitimate system access, demonstrating how insufficient authorization controls can enable attackers to operate under false identities within secure environments.