What is the CVSS score of CVE-2026-8823?

CVE-2026-8823 has a CVSS 3.1 base score of 3.8 (Low). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L.

Mattermost CVE-2026-8823

Q: Which versions of Mattermost are affected by CVE-2026-8823?

Incorrect authorization in Mattermost's demote-user API allows a lower-privileged administrator to degrade arbitrary bot accounts to guest status, affecting versions 11.7.0 and 10.11.17 and earlier.

EUVD-2026-38276 LOW

Incorrect Authorization (CWE-863)

2026-06-22 Mattermost

GHSA-xmfh-3ccg-c9fx

Mattermost Authentication Bypass

3.8

CVSS 3.1 · Vendor: Mattermost

Severity by source

Vendor (Mattermost) PRIMARY

3.8 LOW

AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L

vuln.today AI

3.8 LOW

Admin credentials required (PR:H); impact is limited to bot account integrity and availability disruption, with no confidentiality exposure.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L

4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Mattermost).

CVSS VectorVendor: Mattermost

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

Low

Lifecycle Timeline

Analysis Generated

Jun 22, 2026 - 16:00 vuln.today

DescriptionCVE.org

Mattermost versions 11.7.x <= 11.7.0, 10.11.x <= 10.11.17 fail to validate bot targets when demoting users to guests which allows a lower-privileged administrator to degrade arbitrary bot accounts via the standard demote-user API.. Mattermost Advisory ID: MMSA-2026-00669

AnalysisAI

Incorrect authorization in Mattermost's demote-user API allows a lower-privileged administrator to degrade arbitrary bot accounts to guest status, affecting versions 11.7.0 and 10.11.17 and earlier. The root cause is missing validation of whether the target of a demotion operation is a bot account, meaning an admin who lacks full system privileges can still weaponize the standard API endpoint against bot identities. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate to Mattermost as lower-privileged admin

Delivery

Enumerate or identify target bot account IDs

Exploit

Submit demote-user API request targeting bot

Execution

Server skips bot validation check

Persist

Bot account downgraded to guest role

Impact

Dependent integrations lose permissions and fail

Access

Authenticate to Mattermost as lower-privileged admin

Delivery

Enumerate or identify target bot account IDs

Exploit

Submit demote-user API request targeting bot

Execution

Server skips bot validation check

Persist

Bot account downgraded to guest role

Impact

Dependent integrations lose permissions and fail

Vulnerability AssessmentAI

Exploitation	Exploitation requires an authenticated session with administrator-level privileges on the Mattermost instance - specifically a 'lower-privileged administrator' role that has access to the demote-user API. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The vendor-assigned CVSS 3.1 score of 3.8 (Low) is well-calibrated and consistent with the available signals. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An authenticated Mattermost administrator with lower-privileged access - such as a team admin or a sub-admin role - calls the standard demote-user API endpoint, supplying the user ID of a bot account as the target. Because the API does not validate that the target is a bot, the request succeeds, downgrading the bot to a guest role and breaking any integrations or automated workflows that depend on that bot's elevated permissions. …
Remediation	The primary remediation is to upgrade Mattermost to a version that addresses MMSA-2026-00669; consult the vendor advisory at https://mattermost.com/security-updates for confirmed fixed releases in both the 11.7.x and 10.11.x branches - exact patched version numbers are not independently confirmed from available data beyond the advisory reference. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-6062 MEDIUM This Month

6.4 Jun 22

Subscription hijacking in Mattermost allows authenticated low-privileged users to take control of subscriptions belongin

CVE-2026-6673 MEDIUM This Month

6.4 Jun 22

Missing authentication on the Atlassian Connect install callback in Mattermost allows a remote attacker to inject a rogu

CVE-2026-5139 MEDIUM This Month

5.4 Jun 22

The /gitlab connect slash command in Mattermost fails to enforce administrator-level authorization on the setDefaultInst

CVE-2026-9162 MEDIUM This Month

4.3 Jun 22

WebSocket session persistence in Mattermost allows authenticated users whose sessions have been globally revoked to bypa

CVE-2026-8074 LOW Monitor

3.8 Jun 22

{id}/active endpoint despite lacking the Integrations permission required to manage bots. The server fails to apply bot-

CVE-2026-8823 vulnerability details – vuln.today

Back