Mattermost <10.11.12 Connected Workspace API Unauthorized Status Change
CVE-2026-27769 Published on April 15, 2026
Connected Workspaces: Malicious remote server can manipulate arbitrary user's status
Mattermost versions 10.11.x <= 10.11.12 fail to validate whether users were correctly owned by the correct Connected Workspace which allows a malicious remote server connected using the Conntexted Workspaces feature to change the displayed status of local users via the Connected Workspaces API.. Mattermost Advisory ID: MMSA-2026-00603
Vulnerability Analysis
CVE-2026-27769 can be exploited with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and no impact on availability.
Weakness Type
What is an AuthZ Vulnerability?
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2026-27769 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2026-27769
Want to know whenever a new CVE is published for MatterMost? stack.watch will email you.
Affected Versions
Mattermost:- Version 10.11.0, <= 10.11.12 is affected.
- Version 11.5.0 is unaffected.
- Version 10.11.13 is unaffected.