Advisory Database
  • Advisories
  • Dependency Scanning
  1. golang
  2. ›
  3. github.com/mattermost/mattermost-plugin-github
  4. ›
  5. CVE-2026-28735

CVE-2026-28735: Mattermost allows authenticated users to gain access to private repositories

May 26, 2026 (updated June 29, 2026)

Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate the OAuth token scope on the callback which allows an authenticated Mattermost user to gain access to private repositories via modifying the scope parameter in the GitHub authorization URL. Mattermost Advisory ID: MMSA-2026-00628

References

  • github.com/advisories/GHSA-r5vf-grcx-5vqp
  • github.com/mattermost/mattermost-plugin-github/commit/6e6b740c4852cdfa136ee0ced160da832285c353
  • mattermost.com/security-updates
  • nvd.nist.gov/vuln/detail/CVE-2026-28735

Code Behaviors & Features

Detect and mitigate CVE-2026-28735 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions before 1.0.1-0.20260318132218-6e6b740c4852

Fixed versions

  • 1.0.1-0.20260318132218-6e6b740c4852

Solution

Upgrade to version 1.0.1-0.20260318132218-6e6b740c4852 or above.

Impact 5.4 MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Learn more about CVSS

Weakness

  • CWE-863: Incorrect Authorization

Source file

go/github.com/mattermost/mattermost-plugin-github/CVE-2026-28735.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Sun, 05 Jul 2026 00:19:02 +0000.