{"api_version":"1","generated_at":"2026-06-02T17:31:17+00:00","cve":"CVE-2026-28732","urls":{"html":"https://cve.report/CVE-2026-28732","api":"https://cve.report/api/cve/CVE-2026-28732.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-28732","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-28732"},"summary":{"title":"Slash command trigger-word update allowed command hijacking","description":"Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 Fail to enforce slash command trigger-word uniqueness during command updates which allows an authenticated team member with Manage Own Slash Commands permission to hijack and impersonate existing system or custom slash commands via editing their own slash command trigger to an already-registered trigger through the command update API. Mattermost Advisory ID: MMSA-2026-00597","state":"PUBLISHED","assigner":"Mattermost","published_at":"2026-05-18 09:16:22","updated_at":"2026-05-19 17:18:19"},"problem_types":["CWE-863","CWE-863 CWE-863: Incorrect Authorization"],"metrics":[{"version":"3.1","source":"responsibledisclosure@mattermost.com","type":"Secondary","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.3,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","version":"3.1"}}],"references":[{"url":"https://mattermost.com/security-updates","name":"https://mattermost.com/security-updates","refsource":"responsibledisclosure@mattermost.com","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-28732","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28732","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Mattermost","product":"Mattermost","version":"affected 11.5.0 11.5.1 semver","platforms":[]},{"source":"CNA","vendor":"Mattermost","product":"Mattermost","version":"affected 10.11.0 10.11.13 semver","platforms":[]},{"source":"CNA","vendor":"Mattermost","product":"Mattermost","version":"affected 11.4.0 11.4.3 semver","platforms":[]},{"source":"CNA","vendor":"Mattermost","product":"Mattermost","version":"unaffected 11.6.0","platforms":[]},{"source":"CNA","vendor":"Mattermost","product":"Mattermost","version":"unaffected 11.5.2","platforms":[]},{"source":"CNA","vendor":"Mattermost","product":"Mattermost","version":"unaffected 10.11.14","platforms":[]},{"source":"CNA","vendor":"Mattermost","product":"Mattermost","version":"unaffected 11.4.4","platforms":[]}],"timeline":[],"solutions":[{"source":"CNA","title":"","value":"Update Mattermost to versions 11.6.0, 11.5.2, 10.11.14, 11.4.4 or higher.","time":"","lang":"en"}],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"mr_anksec","lang":"en"}],"nvd_cpes":[{"cve_year":"2026","cve_id":"28732","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mattermost","cpe5":"mattermost_server","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"28732","cve":"CVE-2026-28732","epss":"0.000310000","percentile":"0.092620000","score_date":"2026-05-26","updated_at":"2026-05-27 00:01:53"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-28732","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-05-18T14:37:24.384871Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-05-18T14:37:33.547Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Mattermost","vendor":"Mattermost","versions":[{"lessThanOrEqual":"11.5.1","status":"affected","version":"11.5.0","versionType":"semver"},{"lessThanOrEqual":"10.11.13","status":"affected","version":"10.11.0","versionType":"semver"},{"lessThanOrEqual":"11.4.3","status":"affected","version":"11.4.0","versionType":"semver"},{"status":"unaffected","version":"11.6.0"},{"status":"unaffected","version":"11.5.2"},{"status":"unaffected","version":"10.11.14"},{"status":"unaffected","version":"11.4.4"}]}],"credits":[{"lang":"en","type":"finder","value":"mr_anksec"}],"descriptions":[{"lang":"en","value":"Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 Fail to enforce slash command trigger-word uniqueness during command updates which allows an authenticated team member with Manage Own Slash Commands permission to hijack and impersonate existing system or custom slash commands via editing their own slash command trigger to an already-registered trigger through the command update API. Mattermost Advisory ID: MMSA-2026-00597"}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.3,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-863","description":"CWE-863: Incorrect Authorization","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-05-18T08:35:40.393Z","orgId":"9302f53e-dde5-4bf3-b2f2-a83f91ac0eee","shortName":"Mattermost"},"references":[{"name":"MMSA-2026-00597","tags":["vendor-advisory"],"url":"https://mattermost.com/security-updates"}],"solutions":[{"lang":"en","value":"Update Mattermost to versions 11.6.0, 11.5.2, 10.11.14, 11.4.4 or higher."}],"source":{"advisory":"MMSA-2026-00597","defect":["https://mattermost.atlassian.net/browse/MM-67376"],"discovery":"EXTERNAL"},"title":"Slash command trigger-word update allowed command hijacking","x_generator":{"engine":"cvelib 1.8.0"}}},"cveMetadata":{"assignerOrgId":"9302f53e-dde5-4bf3-b2f2-a83f91ac0eee","assignerShortName":"Mattermost","cveId":"CVE-2026-28732","datePublished":"2026-05-18T08:35:40.393Z","dateReserved":"2026-03-16T08:51:03.263Z","dateUpdated":"2026-05-18T14:37:33.547Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-18 09:16:22","lastModifiedDate":"2026-05-19 17:18:19","problem_types":["CWE-863","CWE-863 CWE-863: Incorrect Authorization"],"metrics":{"cvssMetricV31":[{"source":"responsibledisclosure@mattermost.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*","versionStartIncluding":"10.11.0","versionEndExcluding":"10.11.14","matchCriteriaId":"413D9405-79C3-4299-B0DC-40D9EE5CC717"},{"vulnerable":true,"criteria":"cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*","versionStartIncluding":"11.4.0","versionEndExcluding":"11.4.4","matchCriteriaId":"CF171039-837A-4D23-87EB-F328AD04976C"},{"vulnerable":true,"criteria":"cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*","versionStartIncluding":"11.5.0","versionEndExcluding":"11.5.2","matchCriteriaId":"726AD6AD-6C01-45BB-9115-B8209717A6D4"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"28732","Ordinal":"1","Title":"Slash command trigger-word update allowed command hijacking","CVE":"CVE-2026-28732","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"28732","Ordinal":"1","NoteData":"Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 Fail to enforce slash command trigger-word uniqueness during command updates which allows an authenticated team member with Manage Own Slash Commands permission to hijack and impersonate existing system or custom slash commands via editing their own slash command trigger to an already-registered trigger through the command update API. Mattermost Advisory ID: MMSA-2026-00597","Type":"Description","Title":"Slash command trigger-word update allowed command hijacking"}]}}}