Skip to content

Commit ead9689

Browse files
1 parent 9e05426 commit ead9689

4 files changed

Lines changed: 263 additions & 72 deletions

File tree

Lines changed: 122 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,122 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-82j6-4fq7-fx62",
4+
"modified": "2026-06-01T15:44:49Z",
5+
"published": "2026-05-18T09:31:48Z",
6+
"aliases": [
7+
"CVE-2026-6347"
8+
],
9+
"summary": "Mattermost doesn't sanitize sensitive configuration fields in the Mattermost Calls plugin ",
10+
"details": "Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields in the Mattermost Calls plugin which allows an attacker with access to a support packet to obtain TURN server credentials via the plaintext values present in the exported plugin configuration.. Mattermost Advisory ID: MMSA-2026-00605",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "github.com/mattermost/mattermost-server"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "11.5.0"
29+
},
30+
{
31+
"fixed": "11.5.2"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "Go",
40+
"name": "github.com/mattermost/mattermost-server"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "10.11.0"
48+
},
49+
{
50+
"fixed": "10.11.14"
51+
}
52+
]
53+
}
54+
]
55+
},
56+
{
57+
"package": {
58+
"ecosystem": "Go",
59+
"name": "github.com/mattermost/mattermost-server"
60+
},
61+
"ranges": [
62+
{
63+
"type": "ECOSYSTEM",
64+
"events": [
65+
{
66+
"introduced": "11.4.0"
67+
},
68+
{
69+
"fixed": "11.4.4"
70+
}
71+
]
72+
}
73+
]
74+
},
75+
{
76+
"package": {
77+
"ecosystem": "Go",
78+
"name": "github.com/mattermost/mattermost-plugin-calls"
79+
},
80+
"ranges": [
81+
{
82+
"type": "ECOSYSTEM",
83+
"events": [
84+
{
85+
"introduced": "0"
86+
},
87+
{
88+
"fixed": "1.12.0-rc2"
89+
}
90+
]
91+
}
92+
]
93+
}
94+
],
95+
"references": [
96+
{
97+
"type": "ADVISORY",
98+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6347"
99+
},
100+
{
101+
"type": "WEB",
102+
"url": "https://github.com/mattermost/mattermost-plugin-calls/commit/d48893c8558e5a61f5fdd188bbee5ec7cb73887b"
103+
},
104+
{
105+
"type": "PACKAGE",
106+
"url": "https://github.com/mattermost/mattermost"
107+
},
108+
{
109+
"type": "WEB",
110+
"url": "https://mattermost.com/security-updates"
111+
}
112+
],
113+
"database_specific": {
114+
"cwe_ids": [
115+
"CWE-200"
116+
],
117+
"severity": "HIGH",
118+
"github_reviewed": true,
119+
"github_reviewed_at": "2026-06-01T15:44:48Z",
120+
"nvd_published_at": "2026-05-18T09:16:24Z"
121+
}
122+
}
Lines changed: 141 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,141 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-8h9w-w78c-vvr3",
4+
"modified": "2026-06-01T15:48:10Z",
5+
"published": "2026-05-18T09:31:47Z",
6+
"aliases": [
7+
"CVE-2026-28759"
8+
],
9+
"summary": "Mattermost does not verify remote cluster channel access when processing shared channel membership removals",
10+
"details": "Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate that a remote cluster has access to a channel before processing membership removal requests during shared channel membership sync, which allows a malicious remote cluster to remove any user from any channel, including private channels, via crafted membership sync messages targeting channels the remote cluster is not authorized to access. Mattermost Advisory ID: MMSA-2026-00576.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "github.com/mattermost/mattermost/server/v8"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "11.5.0"
29+
},
30+
{
31+
"fixed": "11.5.2"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "Go",
40+
"name": "github.com/mattermost/mattermost/server/v8"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "10.11.0"
48+
},
49+
{
50+
"fixed": "10.11.14"
51+
}
52+
]
53+
}
54+
]
55+
},
56+
{
57+
"package": {
58+
"ecosystem": "Go",
59+
"name": "github.com/mattermost/mattermost/server/v8"
60+
},
61+
"ranges": [
62+
{
63+
"type": "ECOSYSTEM",
64+
"events": [
65+
{
66+
"introduced": "11.4.0"
67+
},
68+
{
69+
"fixed": "11.4.4"
70+
}
71+
]
72+
}
73+
]
74+
},
75+
{
76+
"package": {
77+
"ecosystem": "Go",
78+
"name": "github.com/mattermost/mattermost/server/v8"
79+
},
80+
"ranges": [
81+
{
82+
"type": "ECOSYSTEM",
83+
"events": [
84+
{
85+
"introduced": "0"
86+
},
87+
{
88+
"fixed": "8.0.0-20260216150504-8738f8c4b3d4"
89+
}
90+
]
91+
}
92+
]
93+
},
94+
{
95+
"package": {
96+
"ecosystem": "Go",
97+
"name": "github.com/mattermost/mattermost-server"
98+
},
99+
"ranges": [
100+
{
101+
"type": "ECOSYSTEM",
102+
"events": [
103+
{
104+
"introduced": "0"
105+
},
106+
{
107+
"fixed": "5.3.2-0.20260216150504-8738f8c4b3d4"
108+
}
109+
]
110+
}
111+
]
112+
}
113+
],
114+
"references": [
115+
{
116+
"type": "ADVISORY",
117+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28759"
118+
},
119+
{
120+
"type": "WEB",
121+
"url": "https://github.com/mattermost/mattermost/commit/8738f8c4b3d42b2b687a6231e72f313357a2e891"
122+
},
123+
{
124+
"type": "PACKAGE",
125+
"url": "https://github.com/mattermost/mattermost"
126+
},
127+
{
128+
"type": "WEB",
129+
"url": "https://mattermost.com/security-updates"
130+
}
131+
],
132+
"database_specific": {
133+
"cwe_ids": [
134+
"CWE-863"
135+
],
136+
"severity": "MODERATE",
137+
"github_reviewed": true,
138+
"github_reviewed_at": "2026-06-01T15:48:10Z",
139+
"nvd_published_at": "2026-05-18T08:16:13Z"
140+
}
141+
}

advisories/unreviewed/2026/05/GHSA-82j6-4fq7-fx62/GHSA-82j6-4fq7-fx62.json

Lines changed: 0 additions & 36 deletions
This file was deleted.

advisories/unreviewed/2026/05/GHSA-8h9w-w78c-vvr3/GHSA-8h9w-w78c-vvr3.json

Lines changed: 0 additions & 36 deletions
This file was deleted.

0 commit comments

Comments
 (0)