Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to properly validate CSRF tokens in the /api/v4/access_control_policies/{policy_id}/activate endpoint, which allows an attacker to trick an admin into changing access control policy active status via a crafted request.. Mattermost Advisory ID: MMSA-2026-00578
AnalysisAI
A Cross-Site Request Forgery (CSRF) vulnerability exists in Mattermost's access control policy activation endpoint due to improper CSRF token validation. Authenticated attackers can exploit this to trick administrators into activating or deactivating access control policies via crafted requests, potentially altering security posture. The vulnerability affects Mattermost versions 10.11.x through 10.11.10, 11.2.x through 11.2.2, 11.3.x through 11.3.1, and 11.4.0. No public exploitation or active KEV status has been reported, though the CISA SSVC framework indicates no current exploitation evidence and non-automatable attack requirements, limiting immediate real-world threat severity.
Technical ContextAI
The vulnerability stems from inadequate CSRF token validation in the /api/v4/access_control_policies/{policy_id}/activate REST API endpoint (CWE-352: Cross-Site Request Forgery). CSRF protections are critical in web applications to ensure state-changing operations originate from legitimate user sessions rather than attacker-controlled sites. Mattermost, identified via CPE cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*, implements role-based access control via policies; the activate endpoint controls whether these policies are enforced organization-wide. When CSRF tokens are not properly validated or are missing from the request validation logic, an attacker can craft malicious HTML or JavaScript that, when visited by an authenticated admin, will submit requests to toggle policy states without the admin's knowledge or consent.
RemediationAI
Immediately upgrade Mattermost to patched versions beyond 11.2.2, 10.11.10, 11.3.1, and 11.4.0, respectively—consult https://mattermost.com/security-updates for exact patched release versions in your release branch. Until patches can be applied, implement compensating controls: enforce HTTPS-only connections with HSTS headers, restrict admin console access to internal networks only via firewall rules, and educate administrators to avoid visiting untrusted links while logged into Mattermost. Consider temporarily disabling access control policy modification APIs via web application firewall rules if policies are not actively modified.
More in Mattermost
View allDenial of service in linkify-it (npm) through v5.0.0 lets remote unauthenticated attackers wedge a rendering worker by s
A denial-of-service vulnerability in Mattermost allows an authenticated user to crash the server via multiple large auto
Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded w
Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perf
Fleet is an open source osquery manager. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invit
Dex is a federated OpenID Connect provider written in Go. Rated critical severity (CVSS 9.6), this vulnerability is remo
Improper output escaping in NousResearch Hermes Agent versions up to 2026.4.16 allows remote unauthenticated attackers t
Mattermost 6.3.0 and earlier fails to properly sanitize the HTML content in the email invitation sent to guest users, wh
Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker posse
Privilege escalation in Mattermost server (11.6.x, 11.5.x, and 10.11.x branches) allows a low-privileged user holding gr
Authorization bypass in Mattermost Plugin Legal Hold versions <=1.1.4 allows authenticated attackers to manipulate legal
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15806
GHSA-rmhw-c3xr-m3xx