Detections
Analytics

SCA: security update for github.com/mattermost/mattermost-server (GHSA-pg7c-462j-grxv)

medium Tenable Self-Hosted Container Security Plugin ID 444095

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

 - Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to
 archive the channel before removing persistent notifications which allows authenticated user to crash the
 server via timing the creation of persistent notification message between the server deleting existing
 persistent notifications and archiving the channel.. Mattermost Advisory ID: MMSA-2026-00637
 (CVE-2026-4635)

Solution

Update the github.com/mattermost/mattermost-server library and its related packages to version 10.11.15 or later.

See Also

https://github.com/advisories/GHSA-pg7c-462j-grxv

Plugin Details

Severity: Medium

ID: 444095

Version: Revision 1.1

Type: Local

Family: SCA Checks

Published: 6/27/2026

Updated: 6/27/2026

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4.9

Temporal Score: 3.6

Vector: CVSS2#AV:N/AC:H/Au:S/C:N/I:N/A:C

CVSS Score Source: CVE-2026-4635

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/26/2026

Vulnerability Publication Date: 5/22/2026

Reference Information

CVE: CVE-2026-4635

cwe: CWE-362