{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28735", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2026-03-10T13:45:39.998Z", "datePublished": "2026-05-22T16:26:04.066Z", "dateUpdated": "2026-05-22T16:56:09.671Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mattermost", "vendor": "Mattermost", "versions": [{"lessThanOrEqual": "11.6.0", "status": "affected", "version": "11.6.0", "versionType": "semver"}, {"lessThanOrEqual": "11.5.3", "status": "affected", "version": "11.5.0", "versionType": "semver"}, {"lessThanOrEqual": "11.4.4", "status": "affected", "version": "11.4.0", "versionType": "semver"}, {"lessThanOrEqual": "10.11.14", "status": "affected", "version": "10.11.0", "versionType": "semver"}, {"version": "11.7.0", "status": "unaffected"}, {"version": "11.6.1", "status": "unaffected"}, {"version": "11.5.4", "status": "unaffected"}, {"version": "11.4.5", "status": "unaffected"}, {"version": "10.11.15", "status": "unaffected"}]}], "credits": [{"lang": "en", "type": "finder", "value": "eahmed"}], "descriptions": [{"lang": "en", "value": "Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate the OAuth token scope on the callback which allows an authenticated Mattermost user to gain access to private repositories via modifying the scope parameter in the GitHub authorization URL.. Mattermost Advisory ID: MMSA-2026-00628"}], "metrics": [{"cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseSeverity": "MEDIUM", "baseScore": 5.4}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-863: Incorrect Authorization", "cweId": "CWE-863"}]}], "references": [{"url": "https://mattermost.com/security-updates", "name": "MMSA-2026-00628", "tags": ["vendor-advisory"]}], "solutions": [{"value": "Update Mattermost to versions 11.7.0, 11.6.1, 11.5.4, 11.4.5, 10.11.15 or higher.", "lang": "en"}], "source": {"advisory": "MMSA-2026-00628", "defect": ["https://mattermost.atlassian.net/browse/MM-67857"], "discovery": "EXTERNAL"}, "title": "GitHub OAuth Scope Validation", "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2026-05-22T16:26:04.066Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-05-22T16:55:25.541191Z", "id": "CVE-2026-28735", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-22T16:56:09.671Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28735", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-05-22T16:55:25.541191Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-22T16:55:49.531Z"}}], "cna": {"title": "GitHub OAuth Scope Validation", "source": {"defect": ["https://mattermost.atlassian.net/browse/MM-67857"], "advisory": "MMSA-2026-00628", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "eahmed"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Mattermost", "product": "Mattermost", "versions": [{"status": "affected", "version": "11.6.0", "versionType": "semver", "lessThanOrEqual": "11.6.0"}, {"status": "affected", "version": "11.5.0", "versionType": "semver", "lessThanOrEqual": "11.5.3"}, {"status": "affected", "version": "11.4.0", "versionType": "semver", "lessThanOrEqual": "11.4.4"}, {"status": "affected", "version": "10.11.0", "versionType": "semver", "lessThanOrEqual": "10.11.14"}, {"status": "unaffected", "version": "11.7.0"}, {"status": "unaffected", "version": "11.6.1"}, {"status": "unaffected", "version": "11.5.4"}, {"status": "unaffected", "version": "11.4.5"}, {"status": "unaffected", "version": "10.11.15"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update Mattermost to versions 11.7.0, 11.6.1, 11.5.4, 11.4.5, 10.11.15 or higher."}], "references": [{"url": "https://mattermost.com/security-updates", "name": "MMSA-2026-00628", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate the OAuth token scope on the callback which allows an authenticated Mattermost user to gain access to private repositories via modifying the scope parameter in the GitHub authorization URL.. Mattermost Advisory ID: MMSA-2026-00628"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2026-05-22T16:26:04.066Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28735", "state": "PUBLISHED", "dateUpdated": "2026-05-22T16:56:09.671Z", "dateReserved": "2026-03-10T13:45:39.998Z", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "datePublished": "2026-05-22T16:26:04.066Z", "assignerShortName": "Mattermost"}, "dataVersion": "5.2"}

{}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,11.6.0]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,11.5.3]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,11.4.4]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,10.11.14]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "11.7.0"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "11.6.1"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "11.5.4"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "11.4.5"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "10.11.15"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Mattermost", "source": "cna", "vendor": "Mattermost"}, "product": "mattermost", "vendor": "mattermost"}], "created": "2026-05-22T17:30:05.959315+00:00", "updated": "2026-05-22T17:30:06.235333+00:00", "vendors": ["mattermost", "mattermost$PRODUCT$mattermost"]}