Nixpkgs security tracker

Login with GitHub

Suggestion detail

Untriaged
Permalink CVE-2026-27656
5.7 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
created 2 months, 3 weeks ago Activity log
  • Created suggestion 2 months, 3 weeks ago
Account Takeover via Substring Matching in OpenID Connect Authentication

Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to properly validate user identity in the OpenID {{IsSameUser()}} comparison logic, which allows an attacker to take over arbitrary user accounts via an overly permissive substring matching flaw in the user discovery flow.. Mattermost Advisory ID: MMSA-2026-00590

References

Affected products

Mattermost
  • ==11.3.2
  • =<10.11.11
  • =<11.2.3
  • ==11.5.0
  • ==11.2.4
  • =<11.3.1
  • ==10.11.12
  • ==11.4.1
  • =<11.4.0

Matching in nixpkgs

pkgs.mattermost

Open source platform for secure collaboration across the entire software development lifecycle

pkgs.mattermostLatest

Open source platform for secure collaboration across the entire software development lifecycle

Package maintainers