Cyber Resilience

CVE-2026-28741

Medium

Published: 15 April 2026

Published
15 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0013 2.9th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-28741 is a medium-severity CSRF (CWE-352) vulnerability in Mattermost Mattermost Server. Its CVSS base score is 6.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Account Manipulation (T1098); ranked at the 2.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-28741 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Mattermost versions 10.11.x up to and including 10.11.12, 11.5.x up to and including 11.5.0, 11.4.x up to and including 11.4.2, and 11.3.x up to and including 11.3.2. The flaw stems from a failure to validate CSRF tokens on an authentication endpoint, enabling attackers to perform unauthorized actions. It is rated with a CVSS v3.1 base score of 6.8 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N) and is associated with CWE-352 (Cross-Site Request Forgery). The vulnerability was published on 2026-04-15.

An attacker can exploit this vulnerability without privileges by tricking an authenticated user into visiting a malicious webpage. The malicious page submits a forged request to the vulnerable authentication endpoint, allowing the attacker to update the victim's authentication method. This results in high confidentiality and integrity impacts, potentially compromising the victim's account control.

For mitigation details, refer to Mattermost Advisory MMSA-2026-00625 available at https://mattermost.com/security-updates.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to validate CSRF tokens on an authentication endpoint which allows an attacker to update a user's authentication method via a CSRF attack by tricking a…

more

user into visiting a malicious page. Mattermost Advisory ID: MMSA-2026-00625

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
Why these techniques?

CSRF flaw on auth endpoint directly allows unauthorized modification of a victim's authentication settings/method, enabling account manipulation (T1098) for takeover without needing credentials or direct access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-20621Same product: Mattermost Mattermost Server
CVE-2025-25279Same product: Mattermost Mattermost Server
CVE-2026-20719Same product: Mattermost Mattermost Server
CVE-2025-20051Same product: Mattermost Mattermost Server
CVE-2026-2454Same product: Mattermost Mattermost Server
CVE-2025-14273Same product: Mattermost Mattermost Server
CVE-2026-24458Same product: Mattermost Mattermost Server
CVE-2025-25274Same product: Mattermost Mattermost Server
CVE-2025-12421Same product: Mattermost Mattermost Server
CVE-2025-1412Same product: Mattermost Mattermost Server

Affected Assets

mattermost
mattermost server
10.11.0 — 10.11.13 · 11.3.0 — 11.3.3 · 11.4.0 — 11.4.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-23 requires session authenticity mechanisms such as anti-CSRF tokens to prevent unauthorized forged requests from malicious sites that could update user authentication methods.

prevent

SI-10 mandates validation of information inputs including CSRF tokens on the authentication endpoint, directly addressing the failure to validate tokens in this CVE.

prevent

SI-2 ensures timely identification, reporting, and correction of the specific CSRF flaw in Mattermost, preventing exploitation of the vulnerable versions.

References