CVE-2026-28741
Published: 15 April 2026
Summary
CVE-2026-28741 is a medium-severity CSRF (CWE-352) vulnerability in Mattermost Mattermost Server. Its CVSS base score is 6.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Account Manipulation (T1098); ranked at the 4.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-23 requires session authenticity mechanisms such as anti-CSRF tokens to prevent unauthorized forged requests from malicious sites that could update user authentication methods.
SI-10 mandates validation of information inputs including CSRF tokens on the authentication endpoint, directly addressing the failure to validate tokens in this CVE.
SI-2 ensures timely identification, reporting, and correction of the specific CSRF flaw in Mattermost, preventing exploitation of the vulnerable versions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF flaw on auth endpoint directly allows unauthorized modification of a victim's authentication settings/method, enabling account manipulation (T1098) for takeover without needing credentials or direct access.
NVD Description
Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to validate CSRF tokens on an authentication endpoint which allows an attacker to update a user's authentication method via a CSRF attack by tricking a…
more
user into visiting a malicious page. Mattermost Advisory ID: MMSA-2026-00625
Deeper analysisAI
CVE-2026-28741 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Mattermost versions 10.11.x up to and including 10.11.12, 11.5.x up to and including 11.5.0, 11.4.x up to and including 11.4.2, and 11.3.x up to and including 11.3.2. The flaw stems from a failure to validate CSRF tokens on an authentication endpoint, enabling attackers to perform unauthorized actions. It is rated with a CVSS v3.1 base score of 6.8 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N) and is associated with CWE-352 (Cross-Site Request Forgery). The vulnerability was published on 2026-04-15.
An attacker can exploit this vulnerability without privileges by tricking an authenticated user into visiting a malicious webpage. The malicious page submits a forged request to the vulnerable authentication endpoint, allowing the attacker to update the victim's authentication method. This results in high confidentiality and integrity impacts, potentially compromising the victim's account control.
For mitigation details, refer to Mattermost Advisory MMSA-2026-00625 available at https://mattermost.com/security-updates.
Details
- CWE(s)