MEDIUM 5.4
GHSA-r5vf-grcx-5vqp
Mattermost allows authenticated users to gain access to private repositories
Details
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate the OAuth token scope on the callback which allows an authenticated Mattermost user to gain access to private repositories via modifying the scope parameter in the GitHub authorization URL. Mattermost Advisory ID: MMSA-2026-00628
Are you affected?
Enter the version of the package you're using.
Affected packages
Go / github.com/mattermost/mattermost-server
Introduced in:
11.6.0 Fixed in: 11.6.1 Fix
go get github.com/mattermost/mattermost-server@v11.6.1 Go / github.com/mattermost/mattermost-server
Introduced in:
11.5.0 Fixed in: 11.5.4 Fix
go get github.com/mattermost/mattermost-server@v11.5.4 Go / github.com/mattermost/mattermost-server
Introduced in:
11.4.0 Fixed in: 11.4.5 Fix
go get github.com/mattermost/mattermost-server@v11.4.5 Go / github.com/mattermost/mattermost-server
Introduced in:
10.11.0 Fixed in: 10.11.15 Fix
go get github.com/mattermost/mattermost-server@v10.11.15 Go / github.com/mattermost/mattermost-plugin-github
Introduced in:
0 Fixed in: 1.0.1-0.20260318132218-6e6b740c4852 Fix
go get github.com/mattermost/mattermost-plugin-github@v1.0.1-0.20260318132218-6e6b740c4852