CVE-2026-28741 | THREATINT

Description

Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to validate CSRF tokens on an authentication endpoint which allows an attacker to update a user's authentication method via a CSRF attack by tricking a user into visiting a malicious page. Mattermost Advisory ID: MMSA-2026-00625

PUBLISHED Reserved 2026-03-10 | Published 2026-04-15 | Updated 2026-04-15 | Assigner Mattermost

MEDIUM: 6.8CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Problem types

CWE-352: Cross-Site Request Forgery (CSRF)

Product status

Default status

unaffected

10.11.0 (semver)

affected

11.5.0 (semver)

affected

11.4.0 (semver)

affected

11.3.0 (semver)

affected

10.11.13

unaffected

11.5.1

unaffected

11.4.3

unaffected

11.3.3

unaffected

Credits

Eva Sarafianou finder

References

mattermost.com/security-updates (MMSA-2026-00625) vendor-advisory

cve.org (CVE-2026-28741)

nvd.nist.gov (CVE-2026-28741)

Download JSON