Skip to main content
CVE Vulnerability Database

CVE-2026-9162: Mattermost Server Auth Bypass Vulnerability

CVE-2026-9162 is an authentication bypass flaw in Mattermost Server that allows users with active WebSocket connections to remain authenticated after session revocation. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2026-9162 Overview

CVE-2026-9162 affects multiple versions of Mattermost Server. The vulnerability stems from the server failing to invalidate cached authentication state for active WebSocket connections during global session revocation. A user with an established WebSocket connection can remain authenticated and continue receiving real-time events after administrators revoke their session. Access persists until the cached session expires or the client reconnects. Mattermost tracks this issue as advisory MMSA-2026-00664 and classifies it under CWE-613: Insufficient Session Expiration.

Critical Impact

Revoked users retain authenticated access to real-time event streams over existing WebSocket connections, undermining session termination as a security control.

Affected Products

  • Mattermost Server 11.7.x through 11.7.0
  • Mattermost Server 11.6.x through 11.6.2, and 11.5.x through 11.5.5
  • Mattermost Server 10.11.x through 10.11.17

Discovery Timeline

  • 2026-06-22 - CVE-2026-9162 published to NVD
  • 2026-06-23 - Last updated in NVD database

Technical Details for CVE-2026-9162

Vulnerability Analysis

The flaw resides in how Mattermost Server handles authentication state for persistent WebSocket connections. When an administrator triggers global session revocation, the server invalidates session tokens in the database. However, established WebSocket connections rely on a cached authentication state that the revocation routine does not flush. The client continues receiving real-time channel events, direct messages, and presence updates even though the underlying session is revoked. This represents a session management failure rather than a memory safety or injection issue. The vulnerability is authenticated, requiring the attacker to already hold valid low-privilege credentials at the time the WebSocket connects.

Root Cause

The root cause is incomplete propagation of session state changes to long-lived connection handlers. Mattermost caches authentication context per WebSocket connection to avoid per-message database lookups. The global session revocation logic updates persistent storage but does not iterate through active connection handlers to evict cached credentials or force reconnection.

Attack Vector

An authenticated user establishes a normal WebSocket connection to the Mattermost server. An administrator or automated workflow later revokes the user's session, for example after a credential compromise, role change, or offboarding event. The attacker keeps the existing socket open and continues to receive event streams the revoked account would normally lose access to. No specialized tooling is required. Standard Mattermost clients and the public WebSocket API are sufficient. See the Mattermost Security Updates advisory for vendor technical details.

Detection Methods for CVE-2026-9162

Indicators of Compromise

  • WebSocket sessions that remain active for the same user ID after a session revocation event is recorded in the audit log.
  • Real-time event delivery to accounts whose session tokens are no longer present in the active session store.
  • Long-lived WebSocket connections persisting beyond expected administrative actions such as password resets or account deactivation.

Detection Strategies

  • Correlate audit.log session revocation entries with WebSocket connection telemetry to identify mismatches between revoked sessions and still-active sockets.
  • Monitor reverse proxy or load balancer logs for WebSocket upgrade connections that exceed expected session lifetimes.
  • Alert on event delivery to user IDs that recently triggered administrative revocation actions.

Monitoring Recommendations

  • Enable Mattermost audit logging and forward events to a centralized log platform for correlation with network session data.
  • Track WebSocket connection duration metrics per user and flag outliers that survive revocation windows.
  • Periodically reconcile the active session table against currently open WebSocket connections at the application layer.

How to Mitigate CVE-2026-9162

Immediate Actions Required

  • Upgrade Mattermost Server to a patched release above 11.7.0, 11.6.2, 11.5.5, or 10.11.17 according to your release branch.
  • After revoking a user's session, restart the Mattermost server process or force-disconnect active WebSocket clients to clear cached authentication state.
  • Review recent session revocation events and audit account activity from affected users during the cache validity window.

Patch Information

Mattermost has issued fixes tracked under advisory MMSA-2026-00664. Refer to the Mattermost Security Updates page for the specific fixed versions corresponding to each supported release branch.

Workarounds

  • Reduce the session cache TTL so revoked sessions converge to invalid state more quickly.
  • Combine session revocation with a server restart or rolling restart of application nodes to terminate cached WebSocket authentication state.
  • Restrict WebSocket connection lifetimes at the reverse proxy layer to force periodic reauthentication.
bash
# Configuration example
# Force WebSocket clients to reconnect periodically via NGINX in front of Mattermost
proxy_read_timeout 300s;
proxy_send_timeout 300s;

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.