{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27656", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2026-02-23T22:07:32.808Z", "datePublished": "2026-03-25T16:28:29.739Z", "dateUpdated": "2026-03-26T13:19:52.338Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mattermost", "vendor": "Mattermost", "versions": [{"lessThanOrEqual": "11.4.0", "status": "affected", "version": "11.4.0", "versionType": "semver"}, {"lessThanOrEqual": "11.3.1", "status": "affected", "version": "11.3.0", "versionType": "semver"}, {"lessThanOrEqual": "11.2.3", "status": "affected", "version": "11.2.0", "versionType": "semver"}, {"lessThanOrEqual": "10.11.11", "status": "affected", "version": "10.11.0", "versionType": "semver"}, {"version": "11.5.0", "status": "unaffected"}, {"version": "11.4.1", "status": "unaffected"}, {"version": "11.3.2", "status": "unaffected"}, {"version": "11.2.4", "status": "unaffected"}, {"version": "10.11.12", "status": "unaffected"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Christopher Poile"}], "descriptions": [{"lang": "en", "value": "Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to properly validate user identity in the OpenID {{IsSameUser()}} comparison logic, which allows an attacker to take over arbitrary user accounts via an overly permissive substring matching flaw in the user discovery flow.. Mattermost Advisory ID: MMSA-2026-00590"}], "metrics": [{"cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N", "baseSeverity": "MEDIUM", "baseScore": 5.7}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-303: Incorrect Implementation of Authentication Algorithm", "cweId": "CWE-303"}]}], "references": [{"url": "https://mattermost.com/security-updates", "name": "MMSA-2026-00590", "tags": ["vendor-advisory"]}], "solutions": [{"value": "Update Mattermost to versions 11.5.0, 11.4.1, 11.3.2, 11.2.4, 10.11.12 or higher.", "lang": "en"}], "source": {"advisory": "MMSA-2026-00590", "defect": ["https://mattermost.atlassian.net/browse/MM-67181"], "discovery": "{\"self\"=>\"https://mattermost.atlassian.net/rest/api/2/customFieldOption/10557\", \"value\"=>\"Internal\", \"id\"=>\"10557\"}"}, "title": "Account Takeover via Substring Matching in OpenID Connect Authentication", "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2026-03-25T16:28:29.739Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T03:55:33.452102Z", "id": "CVE-2026-27656", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T13:19:52.338Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27656", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T03:55:33.452102Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T13:19:49.531Z"}}], "cna": {"title": "Account Takeover via Substring Matching in OpenID Connect Authentication", "source": {"defect": ["https://mattermost.atlassian.net/browse/MM-67181"], "advisory": "MMSA-2026-00590", "discovery": "{\"self\"=>\"https://mattermost.atlassian.net/rest/api/2/customFieldOption/10557\", \"value\"=>\"Internal\", \"id\"=>\"10557\"}"}, "credits": [{"lang": "en", "type": "finder", "value": "Christopher Poile"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Mattermost", "product": "Mattermost", "versions": [{"status": "affected", "version": "11.4.0", "versionType": "semver", "lessThanOrEqual": "11.4.0"}, {"status": "affected", "version": "11.3.0", "versionType": "semver", "lessThanOrEqual": "11.3.1"}, {"status": "affected", "version": "11.2.0", "versionType": "semver", "lessThanOrEqual": "11.2.3"}, {"status": "affected", "version": "10.11.0", "versionType": "semver", "lessThanOrEqual": "10.11.11"}, {"status": "unaffected", "version": "11.5.0"}, {"status": "unaffected", "version": "11.4.1"}, {"status": "unaffected", "version": "11.3.2"}, {"status": "unaffected", "version": "11.2.4"}, {"status": "unaffected", "version": "10.11.12"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update Mattermost to versions 11.5.0, 11.4.1, 11.3.2, 11.2.4, 10.11.12 or higher."}], "references": [{"url": "https://mattermost.com/security-updates", "name": "MMSA-2026-00590", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to properly validate user identity in the OpenID {{IsSameUser()}} comparison logic, which allows an attacker to take over arbitrary user accounts via an overly permissive substring matching flaw in the user discovery flow.. Mattermost Advisory ID: MMSA-2026-00590"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-303", "description": "CWE-303: Incorrect Implementation of Authentication Algorithm"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2026-03-25T16:28:29.739Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27656", "state": "PUBLISHED", "dateUpdated": "2026-03-26T13:19:52.338Z", "dateReserved": "2026-02-23T22:07:32.808Z", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "datePublished": "2026-03-25T16:28:29.739Z", "assignerShortName": "Mattermost"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "D144BD1D-F65C-498D-BC8A-F3D718F47F4B", "versionEndExcluding": "10.11.12", "versionStartIncluding": "10.11.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "2E3E9B61-F003-45E4-9A04-8015A5CB8558", "versionEndExcluding": "11.2.4", "versionStartIncluding": "11.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "805ECFFC-82FD-4754-AF95-32167E1D41CB", "versionEndExcluding": "11.3.2", "versionStartIncluding": "11.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "839BC7B7-28DF-4125-937A-8B0D2D6893C2", "versionEndExcluding": "11.4.1", "versionStartIncluding": "11.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to properly validate user identity in the OpenID {{IsSameUser()}} comparison logic, which allows an attacker to take over arbitrary user accounts via an overly permissive substring matching flaw in the user discovery flow.. Mattermost Advisory ID: MMSA-2026-00590"}, {"lang": "es", "value": "Las versiones de Mattermost 11.4.x &lt;= 11.4.0, 11.3.x &lt;= 11.3.1, 11.2.x &lt;= 11.2.3, 10.11.x &lt;= 10.11.11 no validan correctamente la identidad del usuario en la l\u00f3gica de comparaci\u00f3n OpenID {{IsSameUser()}}, lo que permite a un atacante tomar el control de cuentas de usuario arbitrarias a trav\u00e9s de un fallo de coincidencia de subcadenas excesivamente permisivo en el flujo de descubrimiento de usuarios. ID de aviso de Mattermost: MMSA-2026-00590"}], "id": "CVE-2026-27656", "lastModified": "2026-03-26T18:51:38.050", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 5.2, "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-25T17:16:56.797", "references": [{"source": "responsibledisclosure@mattermost.com", "tags": ["Vendor Advisory"], "url": "https://mattermost.com/security-updates"}], "sourceIdentifier": "responsibledisclosure@mattermost.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-303"}], "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,11.4.0]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,11.3.1]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,11.2.3]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,10.11.11]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "11.5.0"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "11.4.1"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "11.3.2"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "11.2.4"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "10.11.12"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Mattermost", "source": "cna", "vendor": "Mattermost"}, "product": "mattermost", "vendor": "mattermost"}], "analysis": {"en": {"generated_at": "2026-03-26T20:55:35.262064+00:00", "value": {"mitigation_remediation": ["Apply the vendor patch by upgrading Mattermost Server to 11.5.0 or later, or to the latest 11.4.x/11.3.x/11.2.x/10.11.x releases.", "Verify that the OpenID Connect configuration enforces strict user identity checks and that any custom authentication providers are updated.", "Monitor authentication logs for unusual account impersonation attempts."], "summary": {"action": "Patch Now", "impact": "Account Takeover"}, "threat_synthesis": {"affected_systems": "Affected vendors and products include Mattermost, specifically Mattermost Server versions up to 11.4.0, 11.3.1, 11.2.3, and 10.11.11. Updates to 11.5.0, 11.4.1, 11.3.2, 11.2.4, or 10.11.12 and later eliminate the flaw.", "description_and_impact": "An authentication flaw in Mattermost server versions 10.11.x through 11.4.x causes the OpenID Connect identity comparison logic to perform an over permissive substring match, allowing attackers to impersonate any user. This results in unauthorized account takeover that can expose sensitive data, allow post creation, or facilitate further attacks. The weakness is categorized as improper authentication (CWE\u2011303).", "risk_and_exploitability": "The CVSS base score is 5.7 indicating medium severity, while the EPSS score is below 1\u202f% showing a relatively low likelihood of current exploitation. It is not listed in the CISA KEV catalog. Exploitation requires only remote access to the OpenID Connect authentication flow and the ability to craft a discovery request that includes a username substring of the target, making the attack feasible in many environments."}}}}, "created": "2026-03-25T21:46:58.255160+00:00", "updated": "2026-03-27T09:30:33.711729+00:00", "vendors": ["mattermost", "mattermost$PRODUCT$mattermost"]}