Skip to main content

Mattermost EUVDEUVD-2026-36499

| CVE-2026-6739 HIGH
Incorrect Authorization (CWE-863)
2026-06-12 Mattermost GHSA-m2w9-h2mm-79qr
7.2
CVSS 3.1 · NVD
Share

Severity by source

Vendor (Mattermost) PRIMARY
MEDIUM
qualitative
NVD
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.2 HIGH

Network-reachable REST API (AV:N), no special conditions (AC:L), requires an existing delegated user-management admin account (PR:H), no victim interaction (UI:N), and full system_admin-equivalent compromise yields C:H/I:H/A:H.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Mattermost).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jun 18, 2026 - 15:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 18, 2026 - 15:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 18, 2026 - 15:22 vuln.today
cvss_changed
Severity Changed
Jun 18, 2026 - 15:22 NVD
MEDIUM HIGH
CVSS changed
Jun 18, 2026 - 15:22 NVD
6.7 (MEDIUM) 7.2 (HIGH)
Analysis Generated
Jun 12, 2026 - 17:34 vuln.today

DescriptionNVD

Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to require system-level permission when patching protected default system roles, which allows authenticated users with delegated user-management permissions to escalate privileges by altering built-in role permissions via the role patch API.. Mattermost Advisory ID: MMSA-2026-00656

AnalysisAI

Privilege escalation in Mattermost collaboration platform allows authenticated users holding delegated user-management permissions to modify built-in system role permissions via the role patch API, bypassing a required system-level permission check. Affects Mattermost 10.11.x through 10.11.16, 11.5.x through 11.5.4, and 11.6.x through 11.6.1. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Authenticate as delegated user-management sub-admin
Delivery
Identify role patch API endpoint
Exploit
Send PATCH request modifying built-in role permissions
Install
Server skips system-level permission check
C2
Built-in role gains elevated permissions
Execute
Inherit or assign role to attacker account
Impact
Operate as effective system_admin

Vulnerability AssessmentAI

Exploitation Attacker must already hold a Mattermost account with delegated user-management permissions (a custom or sub-admin role granted manage-users capabilities) and network reachability to the Mattermost server's REST API; full system_admin is NOT required, which is precisely why this is an escalation primitive. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H reflects an authenticated, network-reachable attack with high (admin-delegated) privileges already required but yielding total compromise of confidentiality, integrity, and availability - consistent with the SSVC technical impact of 'total'. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker compromises or already controls a Mattermost account that has been delegated user-management permissions (for example, an HR or helpdesk sub-admin). They issue a crafted PATCH request to the role API targeting a built-in role such as channel_admin or team_admin and add high-impact system permissions to it; because every user holding that role automatically inherits the new permissions, the attacker - or any colluding account - gains effective system_admin capabilities over the entire Mattermost instance. …
Remediation Patch available per vendor advisory MMSA-2026-00656 (https://mattermost.com/security-updates); upgrade to the fixed release on your branch as published by Mattermost - exact fixed build numbers are not enumerated in the provided intelligence, so consult the advisory before deployment. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Mattermost users granted delegated user-management permissions and validate business justification for each assignment. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-9354 MEDIUM POC
5.5 May 24

Improper output escaping in NousResearch Hermes Agent versions up to 2026.4.16 allows remote unauthenticated attackers t

CVE-2026-7387 HIGH
8.8 Jun 12

Privilege escalation in Mattermost server (11.6.x, 11.5.x, and 10.11.x branches) allows a low-privileged user holding gr

CVE-2026-3524 HIGH
8.8 Apr 06

Authorization bypass in Mattermost Plugin Legal Hold versions <=1.1.4 allows authenticated attackers to manipulate legal

CVE-2026-6346 HIGH
8.7 May 18

Mattermost versions up to 11.5.1 expose sensitive credentials in plaintext within support packets due to insufficient sa

CVE-2026-6957 HIGH
8.0 May 27

Arbitrary file write in Mattermost Plugins (versions ≤1.1.5) lets an administrator of a remote, federated Mattermost ser

CVE-2026-3108 HIGH
8.0 Mar 26

Mattermost's mmctl command-line administration tool fails to sanitize ANSI and OSC escape sequences embedded in user-gen

CVE-2026-4858 HIGH
8.0 May 21

Privilege escalation via path traversal in Mattermost collaboration platform allows authenticated users to invoke arbitr

CVE-2026-6517 HIGH
7.7 Jun 15

Credential leakage in Mattermost Desktop App versions up to 6.1 and 5.5.13.0 allows authenticated server users to harves

CVE-2026-6961 HIGH
7.6 Jun 12

Arbitrary file write in Mattermost via path traversal affects versions 11.6.x ≤ 11.6.1, 11.5.x ≤ 11.5.4, and 10.11.x ≤ 1

CVE-2026-6347 HIGH
7.6 May 18

Information disclosure in Mattermost Calls plugin versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 expos

CVE-2026-24458 HIGH
7.5 Mar 16

Mattermost 10.11.x through 11.3.x fails to validate password length, allowing unauthenticated attackers to trigger denia

CVE-2026-5740 HIGH
7.5 May 22

Denial of service in Mattermost server (versions 11.6.0, 11.5.0-11.5.3, 11.4.0-11.4.4, and 10.11.0-10.11.14) allows remo

Share

EUVD-2026-36499 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy