Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to have API-level checks on which groups the user can create issues or attach comments to which allows a user that is member of multiple groups to create issues to a locked group via direct API requests. Mattermost Advisory ID: MMSA-2026-00602
AnalysisAI
Mattermost Plugins through version 11.5 allow authenticated users to bypass group-level access controls and create issues or attach comments to locked groups they should not access. Attackers holding membership in multiple groups can exploit missing API-level authorization checks via direct API requests to write data into restricted groups, violating intended access boundaries. EPSS risk data not available; CVSS 4.3 reflects low-privilege authenticated network attack with low complexity. No active exploitation confirmed by CISA KEV at time of analysis, though vendor advisory (MMSA-2026-00602) confirms the vulnerability.
Technical ContextAI
This vulnerability affects the Mattermost Plugins component across versions 11.5, 11.1.5, 10.13.11, and 11.3.4.0. The root cause is CWE-863 (Incorrect Authorization), where the API layer fails to enforce group-based access control decisions. While the UI may properly restrict access to locked groups, the underlying API endpoints do not validate whether the authenticated user should have write permissions to specific groups. This creates a confused deputy scenario where multi-group membership enables privilege escalation-users can reference group identifiers in API calls to bypass intended restrictions. The CPE identifier cpe:2.3:a:mattermost:mattermost confirms the Mattermost server/plugins ecosystem as the affected product.
RemediationAI
Upgrade Mattermost to the patched version specified in vendor advisory MMSA-2026-00602 available at https://mattermost.com/security-updates. Exact fix version numbers are not provided in available CVE data, so consult the advisory directly for upgrade targets corresponding to each affected branch (11.x, 10.x series). If immediate patching is not feasible, implement compensating controls: (1) Audit API access logs for unexpected cross-group issue creation or comment activity by reviewing user group memberships against issue creation timestamps; (2) Restrict API access to trusted networks via firewall rules or reverse proxy ACLs, though this does not prevent exploitation by authenticated internal users; (3) Review and minimize multi-group memberships to reduce the attack surface, understanding this may disrupt legitimate workflows requiring cross-team collaboration. Note that disabling plugins entirely may impact core Mattermost functionality depending on deployment configuration. No workaround fully mitigates the vulnerability-patching remains the primary remediation path.
More in Mattermost
View allDenial of service in linkify-it (npm) through v5.0.0 lets remote unauthenticated attackers wedge a rendering worker by s
A denial-of-service vulnerability in Mattermost allows an authenticated user to crash the server via multiple large auto
Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded w
Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perf
Fleet is an open source osquery manager. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invit
Dex is a federated OpenID Connect provider written in Go. Rated critical severity (CVSS 9.6), this vulnerability is remo
Improper output escaping in NousResearch Hermes Agent versions up to 2026.4.16 allows remote unauthenticated attackers t
Mattermost 6.3.0 and earlier fails to properly sanitize the HTML content in the email invitation sent to guest users, wh
Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker posse
Privilege escalation in Mattermost server (11.6.x, 11.5.x, and 10.11.x branches) allows a low-privileged user holding gr
Authorization bypass in Mattermost Plugin Legal Hold versions <=1.1.4 allows authenticated attackers to manipulate legal
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30746
GHSA-668g-wr24-468v