CVE-2026-28735

MEDIUM mattermost mattermost_server NVD

CVSS Score 5.4

Severity MEDIUM

Published May 22, 2026

Vendor mattermost

Description

Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate the OAuth token scope on the callback which allows an authenticated Mattermost user to gain access to private repositories via modifying the scope parameter in the GitHub authorization URL.. Mattermost Advisory ID: MMSA-2026-00628

Vendor Advisories

https://mattermost.com/security-updates

References

https://mattermost.com/security-updates