{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-28735","assignerOrgId":"9302f53e-dde5-4bf3-b2f2-a83f91ac0eee","state":"PUBLISHED","assignerShortName":"Mattermost","dateReserved":"2026-03-10T13:45:39.998Z","datePublished":"2026-05-22T16:26:04.066Z","dateUpdated":"2026-05-22T16:56:09.671Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Mattermost","vendor":"Mattermost","versions":[{"lessThanOrEqual":"11.6.0","status":"affected","version":"11.6.0","versionType":"semver"},{"lessThanOrEqual":"11.5.3","status":"affected","version":"11.5.0","versionType":"semver"},{"lessThanOrEqual":"11.4.4","status":"affected","version":"11.4.0","versionType":"semver"},{"lessThanOrEqual":"10.11.14","status":"affected","version":"10.11.0","versionType":"semver"},{"version":"11.7.0","status":"unaffected"},{"version":"11.6.1","status":"unaffected"},{"version":"11.5.4","status":"unaffected"},{"version":"11.4.5","status":"unaffected"},{"version":"10.11.15","status":"unaffected"}]}],"credits":[{"lang":"en","type":"finder","value":"eahmed"}],"descriptions":[{"lang":"en","value":"Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate the OAuth token scope on the callback which allows an authenticated Mattermost user to gain access to private repositories via modifying the scope parameter in the GitHub authorization URL.. Mattermost Advisory ID: MMSA-2026-00628"}],"metrics":[{"cvssV3_1":{"attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N","baseSeverity":"MEDIUM","baseScore":5.4},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"lang":"en","type":"CWE","description":"CWE-863: Incorrect Authorization","cweId":"CWE-863"}]}],"references":[{"url":"https://mattermost.com/security-updates","name":"MMSA-2026-00628","tags":["vendor-advisory"]}],"solutions":[{"value":"Update Mattermost to versions 11.7.0, 11.6.1, 11.5.4, 11.4.5, 10.11.15 or higher.","lang":"en"}],"source":{"advisory":"MMSA-2026-00628","defect":["https://mattermost.atlassian.net/browse/MM-67857"],"discovery":"EXTERNAL"},"title":"GitHub OAuth Scope Validation","providerMetadata":{"orgId":"9302f53e-dde5-4bf3-b2f2-a83f91ac0eee","shortName":"Mattermost","dateUpdated":"2026-05-22T16:26:04.066Z"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-05-22T16:55:25.541191Z","id":"CVE-2026-28735","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-05-22T16:56:09.671Z"}}]}}