CVE-2026-28759: Mattermost does not verify remote cluster channel access when processing shared channel membership removals

May 18, 2026 (updated June 1, 2026)

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate that a remote cluster has access to a channel before processing membership removal requests during shared channel membership sync, which allows a malicious remote cluster to remove any user from any channel, including private channels, via crafted membership sync messages targeting channels the remote cluster is not authorized to access. Mattermost Advisory ID: MMSA-2026-00576.

References

github.com/advisories/GHSA-8h9w-w78c-vvr3
github.com/mattermost/mattermost/commit/8738f8c4b3d42b2b687a6231e72f313357a2e891
mattermost.com/security-updates
nvd.nist.gov/vuln/detail/CVE-2026-28759

Code Behaviors & Features

Detect and mitigate CVE-2026-28759 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →