CVE-2026-28732: Mattermost doesn't enforce slash command trigger-word uniqueness during command updates

May 18, 2026 (updated June 1, 2026)

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 Fail to enforce slash command trigger-word uniqueness during command updates which allows an authenticated team member with Manage Own Slash Commands permission to hijack and impersonate existing system or custom slash commands via editing their own slash command trigger to an already-registered trigger through the command update API. Mattermost Advisory ID: MMSA-2026-00597

References

github.com/advisories/GHSA-wvcv-9xpm-7mqc
github.com/mattermost/mattermost/commit/f5fe8ded6b633db7804ae25b42ea12ce635d6ea6
mattermost.com/security-updates
nvd.nist.gov/vuln/detail/CVE-2026-28732

Code Behaviors & Features

Detect and mitigate CVE-2026-28732 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →