CVE-2026-28735 Overview
CVE-2026-28735 affects multiple versions of Mattermost Server where the GitHub OAuth integration fails to validate token scopes on the callback. An authenticated Mattermost user can modify the scope parameter in the GitHub authorization URL to gain access to private repositories. The flaw is tracked under Mattermost Advisory ID MMSA-2026-00628 and classified as an authorization weakness [CWE-863]. Affected branches include Mattermost 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, and 10.11.x <= 10.11.14.
Critical Impact
Authenticated users can escalate OAuth privileges by tampering with the GitHub authorization scope parameter, exposing private repository contents.
Affected Products
- Mattermost Server 11.6.x versions <= 11.6.0
- Mattermost Server 11.5.x versions <= 11.5.3
- Mattermost Server 11.4.x versions <= 11.4.4 and 10.11.x versions <= 10.11.14
Discovery Timeline
- 2026-05-22 - CVE-2026-28735 published to NVD
- 2026-05-22 - Last updated in NVD database
Technical Details for CVE-2026-28735
Vulnerability Analysis
The vulnerability resides in the GitHub OAuth integration flow within Mattermost Server. The application initiates an OAuth authorization request to GitHub but does not validate the scope returned in the access token on the callback endpoint. This omission allows an authenticated Mattermost user to manipulate the scope parameter within the outbound authorization URL. When GitHub issues a token reflecting the attacker-controlled scope, Mattermost accepts and uses it without comparing it to the expected scope set defined by the integration. The result is OAuth token confusion that grants broader access than the integration intends, including read access to private repositories belonging to the authenticating user.
Root Cause
The root cause is improper authorization [CWE-863] in the OAuth callback handler. Mattermost trusts the scope granted by the identity provider rather than enforcing the scopes the application originally requested. Without server-side validation comparing the issued token scope against the application's permitted scope list, scope expansion attacks succeed silently.
Attack Vector
The attack requires network access and a valid authenticated session on the Mattermost instance. The attacker initiates the GitHub OAuth linking flow, intercepts the redirect to GitHub, and modifies the scope query parameter to request additional permissions such as repo. After approving the consent screen, the resulting token carries the expanded scope. Mattermost stores and uses this token for subsequent GitHub API calls, allowing the attacker to enumerate and read private repository data through the integration.
No verified public proof-of-concept code is available. Refer to the Mattermost Security Updates advisory for additional technical context.
Detection Methods for CVE-2026-28735
Indicators of Compromise
- Unexpected GitHub OAuth tokens stored in Mattermost with scopes broader than the integration default, such as repo instead of public_repo.
- GitHub audit log entries showing access to private repositories originating from the Mattermost OAuth application client ID shortly after a user-initiated link action.
- Mattermost audit log entries showing repeated GitHub OAuth link or unlink operations from the same user account.
Detection Strategies
- Review the oauth records in the Mattermost database and compare stored token scopes against the integration's expected scope configuration.
- Correlate Mattermost user-link events with GitHub OAuth grant events to identify scope deltas between requested and granted permissions.
- Inspect proxy or web application firewall logs for OAuth authorization requests where the scope parameter deviates from the application baseline.
Monitoring Recommendations
- Enable GitHub organization audit log streaming and alert on oauth_authorization.create events tied to the Mattermost OAuth application with elevated scopes.
- Monitor Mattermost server logs for the GitHub plugin callback handler and flag entries where token exchange succeeds with non-standard scope values.
- Track outbound API calls from Mattermost to GitHub endpoints that require private repository scopes, such as GET /repos/{owner}/{repo}/contents.
How to Mitigate CVE-2026-28735
Immediate Actions Required
- Upgrade Mattermost Server to a fixed release above 11.6.0, 11.5.3, 11.4.4, or 10.11.14 based on the deployed branch.
- Revoke all existing GitHub OAuth tokens issued through the Mattermost integration and require users to re-link their accounts after patching.
- Audit GitHub organization access logs for any unauthorized private repository reads sourced from the Mattermost OAuth application.
Patch Information
Mattermost has released fixed versions addressing CVE-2026-28735. Consult the Mattermost Security Updates page and advisory MMSA-2026-00628 for the specific patched version numbers and upgrade instructions for each supported branch.
Workarounds
- Disable the GitHub plugin within Mattermost until the server is upgraded to a patched version.
- Restrict the GitHub OAuth application's permissible scopes at the GitHub organization level to deny repo scope grants for the Mattermost client ID.
- Enforce GitHub organization OAuth application access policies that require administrator approval before tokens can read private repositories.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
