CVE-2026-6062 Overview
CVE-2026-6062 is an authorization flaw in Mattermost Server that allows authenticated attackers to hijack channel subscriptions they should not control. The vulnerability stems from missing channel ownership validation on the subscription edit endpoint. An attacker can issue a crafted PUT request to modify subscriptions tied to channels they have no access to. Mattermost tracks this issue as advisory MMSA-2026-00650 and classifies the root cause under [CWE-639] Authorization Bypass Through User-Controlled Key. The flaw affects multiple supported release branches, including 11.7.x, 11.6.x, 11.5.x, and 10.11.x.
Critical Impact
Authenticated users can hijack and modify subscriptions belonging to channels outside their access, enabling unauthorized data routing and integrity tampering across collaboration workspaces.
Affected Products
- Mattermost Server versions 11.7.x up to and including 11.7.0
- Mattermost Server versions 11.6.x up to and including 11.6.2, and 11.5.x up to and including 11.5.5
- Mattermost Server versions 10.11.x up to and including 10.11.17
Discovery Timeline
- 2026-06-22 - CVE-2026-6062 published to NVD
- 2026-06-23 - Last updated in NVD database
Technical Details for CVE-2026-6062
Vulnerability Analysis
The vulnerability resides in the Mattermost subscription edit endpoint. When a client submits a PUT request to modify an existing subscription, the server applies the requested changes without verifying that the requesting user has access to the channel that owns the subscription. Authorization is enforced on the subscription identifier alone, not on the relationship between the user and the parent channel. An authenticated attacker who can enumerate or guess valid subscription identifiers can repoint, alter, or disable subscriptions tied to private channels. The result is a broken access control issue affecting confidentiality and integrity of channel-bound integrations such as webhooks, alerting subscriptions, and notification routing.
Root Cause
The root cause is improper authorization mapped to [CWE-639]. The subscription edit handler trusts the subscription identifier supplied by the client and skips a channel-membership check before persisting changes. Because the server treats the subscription ID as the sole authorization key, any authenticated user can address subscriptions outside their permitted scope.
Attack Vector
Exploitation requires network access to the Mattermost API and a valid authenticated session. The attacker crafts a PUT request to the subscription edit endpoint referencing a subscription belonging to a restricted channel. The server applies the edit without validating channel membership, completing the hijack. No user interaction is required from the legitimate channel members.
No verified public proof-of-concept code is available. See the Mattermost Security Updates advisory for vendor-supplied technical details.
Detection Methods for CVE-2026-6062
Indicators of Compromise
- Unexpected PUT requests to subscription edit endpoints originating from user accounts that are not members of the target channel.
- Audit log entries showing subscription configuration changes performed by users who lack membership in the associated channel.
- Subscriptions whose destination URLs, filters, or owners change without a corresponding administrative action.
Detection Strategies
- Correlate Mattermost API audit logs against channel membership records to flag subscription edits performed by non-members.
- Baseline normal subscription edit volume per user and alert on deviations, particularly bursts of PUT requests against many subscription IDs.
- Inspect web server and reverse proxy logs for sequential subscription ID enumeration patterns against the edit endpoint.
Monitoring Recommendations
- Forward Mattermost application and audit logs to a centralized analytics platform for longitudinal review.
- Monitor outbound webhook destinations referenced by subscriptions for unexpected hosts after edits occur.
- Track authentication anomalies that precede subscription modifications, such as logins from new geolocations or clients.
How to Mitigate CVE-2026-6062
Immediate Actions Required
- Upgrade Mattermost Server to a fixed release above 11.7.0, 11.6.2, 11.5.5, or 10.11.17 according to your branch.
- Audit all existing channel subscriptions for unauthorized modifications, particularly destination URLs and filter criteria.
- Rotate any secrets, tokens, or webhook URLs that may have been exposed through hijacked subscriptions.
Patch Information
Mattermost has published fixes under advisory MMSA-2026-00650. Review the Mattermost Security Updates page for the corresponding patched versions for each supported branch and apply the update appropriate to your deployment.
Workarounds
- Restrict API access to the subscription edit endpoint at a reverse proxy or WAF until patching is complete.
- Temporarily disable non-essential integrations and subscriptions in sensitive channels to reduce exposure.
- Enforce least-privilege role assignments so fewer accounts can authenticate against the subscription API surface.
# Example reverse proxy restriction to limit access to the subscription edit endpoint
# Apply at your ingress (nginx shown) until the Mattermost upgrade is deployed
location ~ ^/api/v[0-9]+/.*/subscriptions/ {
if ($request_method = PUT) {
# Allow only trusted administrative source ranges
allow 10.0.0.0/24;
deny all;
}
proxy_pass http://mattermost_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

