Mattermost <=11.5.1: AI Rewrite Bypasses Channel Membership (CVE-2026-5163)
CVE-2026-5163 Published on May 18, 2026
Missing authorization check in AI message rewrite endpoint allows access to private thread content
Mattermost versions 11.5.x <= 11.5.1 fail to verify channel membership when processing AI-assisted message rewrites which allows an authenticated attacker to read the content of threads in private channels and direct messages they do not have access to via a crafted request to the post rewrite endpoint.. Mattermost Advisory ID: MMSA-2026-00645
Vulnerability Analysis
CVE-2026-5163 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Weakness Type
What is an AuthZ Vulnerability?
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2026-5163 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2026-5163
Want to know whenever a new CVE is published for MatterMost? stack.watch will email you.
Affected Versions
Mattermost:- Version 11.5.0, <= 11.5.1 is affected.
- Version 11.6.0 is unaffected.
- Version 11.5.2 is unaffected.