Zero Day MonitorZDM

← Back to list

6.8

CVE-2026-28741EXPLOITEDPATCHED

mattermost · mattermost

CSRF Protection Bypass Allows Updating a User's Authentication Method

Description

Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to validate CSRF tokens on an authentication endpoint which allows an attacker to update a user's authentication method via a CSRF attack by tricking a user into visiting a malicious page. Mattermost Advisory ID: MMSA-2026-00625

Affected Products

Vendor	Product	Versions
mattermost	mattermost	10.11.0, 11.5.0, 11.4.0, 11.3.0

References

https://mattermost.com/security-updates(vendor-advisory)

Related News (1 articles)

Tier C

VulDB5d ago

CVE-2026-28741 | Mattermost up to 10.11.12/11.3.2/11.4.2/11.5.0 cross-site request forgery

→ No new info (linked only)

CVSS 3.16.8 MEDIUM

VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

10.11.1311.5.111.4.311.3.3

CWECWE-352

PublishedApr 15, 2026

Last enriched5d agov2

Trending Score21

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-3590EXP

Race Condition in Guest Magic Link Authentication Allows Token Reuse

MEDIUMCVE-2026-4265

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to validate team-specific upload_file permissions which allows a guest user to post files in channels where they lack u

HIGHCVE-2026-3524EXP

Authorization Bypass in Mattermost Legal Hold Plugin Due to Missing Return After Permission Check

LOWCVE-2026-27769

Connected Workspaces: Malicious remote server can manipulate arbitrary user's status

LOWCVE-2026-24661

Unbounded Request Body Read in MS Teams Plugin {{/changes}} Webhook Endpoint

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 15, 2026

Discovered by ZDM

Apr 15, 2026

Updated: activelyExploited

Apr 15, 2026

Actively Exploited

Apr 15, 2026

Patch Available

Apr 15, 2026

Version History

v2

Last enriched 5d ago

v2Tier C5d ago

Updated exploit availability to false, marked as actively exploited, and set patch available to null.

activelyExploited

via VulDB

v15d ago

Initial creation