Vulnerability DatabaseCVE-2026-5163
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-5163
Published:May 18, 2026
Updated:June 11, 2026
Mattermost versions 11.5.x <= 11.5.1 fail to verify channel membership when processing AI-assisted message rewrites which allows an authenticated attacker to read the content of threads in private channels and direct messages they do not have access to via a crafted request to the post rewrite endpoint.. Mattermost Advisory ID: MMSA-2026-00645
Affected Packages
https://github.com/mattermost/mattermost.git (GITHUB):
Affected version(s) >=v11.5.0 <v11.5.2
Fix Suggestion:
Update to version v11.5.2
github.com/mattermost/mattermost (GO):
Affected version(s) >=v11.5.0 <v11.5.2
Fix Suggestion:
Update to version v11.5.2
github.com/mattermost/mattermost/server/v8 (GO):
Affected version(s) >=v8.0.0-20230429093631-aac4f2337933 <v8.0.0-20260401090745-f4d1abe7e8f5
Fix Suggestion:
Update to version v8.0.0-20260401090745-f4d1abe7e8f5
Related Resources (4)
https://github.com/mattermost/mattermost
https://nvd.nist.gov/vuln/detail/CVE-2026-5163
https://mattermost.com/security-updates
https://github.com/mattermost/mattermost/commit/f4d1abe7e8f545f1a87f463fa9fe451c731aebf8
Do you need more information?
Contact Us
CVSS v4
Base Score:
7.1
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
NONE
Availability
NONE
Weakness Type (CWE)
Missing Authorization
CWE-862
EPSS
Base Score:
0.04