Vulnerability Details CVE-2026-5163
Mattermost versions 11.5.x <= 11.5.1 fail to verify channel membership when processing AI-assisted message rewrites which allows an authenticated attacker to read the content of threads in private channels and direct messages they do not have access to via a crafted request to the post rewrite endpoint.. Mattermost Advisory ID: MMSA-2026-00645
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 13.6%
CVSS Severity
CVSS v3 Score 6.5
References
Products affected by CVE-2026-5163
-
cpe:2.3:a:mattermost:mattermost_server:11.5.0
-
cpe:2.3:a:mattermost:mattermost_server:11.5.1