Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Network-reachable REST API (AV:N), no special conditions (AC:L), requires an existing delegated user-management admin account (PR:H), no victim interaction (UI:N), and full system_admin-equivalent compromise yields C:H/I:H/A:H.
Primary rating from Vendor (Mattermost).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionNVD
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to require system-level permission when patching protected default system roles, which allows authenticated users with delegated user-management permissions to escalate privileges by altering built-in role permissions via the role patch API.. Mattermost Advisory ID: MMSA-2026-00656
AnalysisAI
Privilege escalation in Mattermost collaboration platform allows authenticated users holding delegated user-management permissions to modify built-in system role permissions via the role patch API, bypassing a required system-level permission check. Affects Mattermost 10.11.x through 10.11.16, 11.5.x through 11.5.4, and 11.6.x through 11.6.1. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must already hold a Mattermost account with delegated user-management permissions (a custom or sub-admin role granted manage-users capabilities) and network reachability to the Mattermost server's REST API; full system_admin is NOT required, which is precisely why this is an escalation primitive. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H reflects an authenticated, network-reachable attack with high (admin-delegated) privileges already required but yielding total compromise of confidentiality, integrity, and availability - consistent with the SSVC technical impact of 'total'. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker compromises or already controls a Mattermost account that has been delegated user-management permissions (for example, an HR or helpdesk sub-admin). They issue a crafted PATCH request to the role API targeting a built-in role such as channel_admin or team_admin and add high-impact system permissions to it; because every user holding that role automatically inherits the new permissions, the attacker - or any colluding account - gains effective system_admin capabilities over the entire Mattermost instance. … |
| Remediation | Patch available per vendor advisory MMSA-2026-00656 (https://mattermost.com/security-updates); upgrade to the fixed release on your branch as published by Mattermost - exact fixed build numbers are not enumerated in the provided intelligence, so consult the advisory before deployment. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Mattermost users granted delegated user-management permissions and validate business justification for each assignment. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Mattermost
View allImproper output escaping in NousResearch Hermes Agent versions up to 2026.4.16 allows remote unauthenticated attackers t
Privilege escalation in Mattermost server (11.6.x, 11.5.x, and 10.11.x branches) allows a low-privileged user holding gr
Authorization bypass in Mattermost Plugin Legal Hold versions <=1.1.4 allows authenticated attackers to manipulate legal
Mattermost versions up to 11.5.1 expose sensitive credentials in plaintext within support packets due to insufficient sa
Arbitrary file write in Mattermost Plugins (versions ≤1.1.5) lets an administrator of a remote, federated Mattermost ser
Mattermost's mmctl command-line administration tool fails to sanitize ANSI and OSC escape sequences embedded in user-gen
Privilege escalation via path traversal in Mattermost collaboration platform allows authenticated users to invoke arbitr
Credential leakage in Mattermost Desktop App versions up to 6.1 and 5.5.13.0 allows authenticated server users to harves
Arbitrary file write in Mattermost via path traversal affects versions 11.6.x ≤ 11.6.1, 11.5.x ≤ 11.5.4, and 10.11.x ≤ 1
Information disclosure in Mattermost Calls plugin versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 expos
Mattermost 10.11.x through 11.3.x fails to validate password length, allowing unauthenticated attackers to trigger denia
Denial of service in Mattermost server (versions 11.6.0, 11.5.0-11.5.3, 11.4.0-11.4.4, and 10.11.0-10.11.14) allows remo
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36499
GHSA-m2w9-h2mm-79qr