CVE-2026-9824 in Mattermostinfo

Summary

by MITRE • 07/13/2026

Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to check the manage_shared_channels permission in the /share-channel autocomplete handler, which allows an authenticated user without that permission to enumerate configured remote cluster connection metadata via slash command autocomplete.. Mattermost Advisory ID: MMSA-2026-00676

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/13/2026

This vulnerability exists in Mattermost server versions 11.7.x up to 11.7.2, 11.6.x up to 11.6.4, and 10.11.x up to 10.11.19 where the system fails to properly validate the manage_shared_channels permission within the /share-channel autocomplete handler. The flaw stems from insufficient authorization checks that allow any authenticated user to access remote cluster connection metadata through slash command autocomplete functionality. This represents a critical information disclosure vulnerability that violates fundamental security principles of least privilege and access control enforcement.

The technical implementation flaw occurs in the autocomplete handler for the /share-channel command where the system should verify whether the requesting user possesses the manage_shared_channels permission before exposing shared channel configuration details. According to CWE-284, this constitutes an improper access control vulnerability where insufficient permissions are checked during autocomplete operations. The vulnerability enables an authenticated attacker to enumerate metadata about remote cluster connections including connection names, endpoints, and potentially other sensitive configuration parameters that should only be accessible to users with appropriate administrative privileges.

From an operational impact perspective, this vulnerability allows attackers to gather intelligence about the organization's Mattermost infrastructure and shared channel configurations without requiring elevated permissions. The ATT&CK technique T1087.001 (Account Discovery) is facilitated through this vulnerability as it enables enumeration of cluster connections that may reveal network topology and integration points. An attacker could use this information to plan further attacks against the shared channel infrastructure or identify potential lateral movement opportunities within the Mattermost environment.

The security implications extend beyond simple information disclosure as this metadata could aid in crafting more targeted attacks against the shared channel ecosystem. Attackers might exploit the enumerated connection details to understand network configurations, identify potential attack vectors, or correlate with other reconnaissance data to map out the complete shared channel infrastructure landscape. Organizations using Mattermost with shared channels are particularly at risk since the vulnerability undermines the security boundaries that separate different cluster connections.

Organizations should immediately update their Mattermost installations to versions that address this permission validation flaw. The recommended mitigation strategy includes implementing proper authorization checks in the autocomplete handlers for all shared channel related commands and ensuring that only users with manage_shared_channels permission can access sensitive configuration metadata. Additionally, organizations should review their current shared channel configurations and monitor for any unauthorized access attempts. Network segmentation and additional logging of autocomplete operations can provide enhanced detection capabilities for potential exploitation attempts.

Responsible

Mattermost

Reservation

05/28/2026

Disclosure

07/13/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!