Zero Day MonitorZDM

← Back to list

2.7

CVE-2026-27769PATCHED

mattermost · mattermost

Connected Workspaces: Malicious remote server can manipulate arbitrary user's status

Description

Mattermost versions 10.11.x <= 10.11.12 fail to validate whether users were correctly owned by the correct Connected Workspace which allows a malicious remote server connected using the Conntexted Workspaces feature to change the displayed status of local users via the Connected Workspaces API.. Mattermost Advisory ID: MMSA-2026-00603

Affected Products

Vendor	Product	Versions
mattermost	mattermost	10.11.0

References

https://mattermost.com/security-updates(vendor-advisory)

Related News (1 articles)

Tier C

VulDB5d ago

CVE-2026-27769 | Mattermost up to 10.11.12/11.4.x Conntexted Workspaces Feature authorization

→ No new info (linked only)

CVSS 3.12.7 LOW

VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

CISA KEV❌ No

Actively exploited❌ No

Patch available

11.5.010.11.13

CWECWE-862

PublishedApr 15, 2026

Last enriched5d agov2

Trending Score10

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-3590EXP

Race Condition in Guest Magic Link Authentication Allows Token Reuse

MEDIUMCVE-2026-28741EXP

CSRF Protection Bypass Allows Updating a User's Authentication Method

MEDIUMCVE-2026-4265

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to validate team-specific upload_file permissions which allows a guest user to post files in channels where they lack u

HIGHCVE-2026-3524EXP

Authorization Bypass in Mattermost Legal Hold Plugin Due to Missing Return After Permission Check

LOWCVE-2026-21388

Unbounded Request Body Read in MS Teams Plugin {{/lifecycle}} Webhook Endpoint

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 15, 2026

Discovered by ZDM

Apr 15, 2026

Updated: affectedVersions, severity

Apr 15, 2026

Patch Available

Apr 15, 2026

Version History

v2

Last enriched 5d ago

v2Tier C5d ago

Updated affected versions to include 11.4.x, changed severity to MEDIUM, and noted that no exploit exists.

affectedVersionsseverity

via VulDB

v15d ago

Initial creation