Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Remotely callable API (AV:N/AC:L), requires an authenticated user with delegated group-link permission (PR:L), no user interaction, and admin escalation yields full C/I/A on the workspace.
Primary rating from Vendor (Mattermost).
CVSS VectorVendor: Mattermost
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 Mattermost fails to require role-management authorization when setting the scheme_admin flag on group syncable link and patch endpoints, which allows a user with group-link permissions to escalate themselves and group members to team or channel admin via crafted API requests.. Mattermost Advisory ID: MMSA-2026-00665
AnalysisAI
Privilege escalation in Mattermost server (11.6.x, 11.5.x, and 10.11.x branches) allows a low-privileged user holding group-link permissions to promote themselves or other group members to team or channel administrator by setting the scheme_admin flag through group syncable link and patch API endpoints. The flaw stems from missing role-management authorization checks, and with a CVSS of 8.8 (network, low complexity, low privileges) it enables tenant-wide takeover of collaboration workspaces; no public exploit identified at time of analysis.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must hold a valid Mattermost user session with group-link management permissions (manage_team_groups or manage_channel_groups) on at least one target team or channel, and the deployment must have group syncables in use - typically meaning LDAP/AD or SAML group sync is enabled and groups have been linked to teams or channels. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H accurately captures a remotely reachable, low-complexity authenticated escalation with full confidentiality, integrity, and availability impact on the workspace. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained or been granted a Mattermost account with group-link permissions (for example a delegated group manager or a phished mid-level user) sends a crafted PUT or POST request to a group syncable link or patch endpoint with scheme_admin set to true, naming themselves or an attacker-controlled group. The server skips the role-management authorization check and writes the elevated role, after which the attacker (and every member of the linked group) becomes team or channel admin and can read private channels, exfiltrate files, alter integrations, and pivot via webhook or slash-command tokens. … |
| Remediation | Patch available per vendor advisory MMSA-2026-00665 at https://mattermost.com/security-updates - upgrade to the fixed release on your branch (post-11.6.1 for the 11.6 line, post-11.5.4 for 11.5, and post-10.11.16 for 10.11; consult the advisory for the exact fixed build number, which is not enumerated in the input data). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all Mattermost deployments running 10.11.x, 11.5.x, or 11.6.x; audit current users with group-link permissions and their recent activities. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Mattermost
View allImproper output escaping in NousResearch Hermes Agent versions up to 2026.4.16 allows remote unauthenticated attackers t
Authorization bypass in Mattermost Plugin Legal Hold versions <=1.1.4 allows authenticated attackers to manipulate legal
Mattermost versions up to 11.5.1 expose sensitive credentials in plaintext within support packets due to insufficient sa
Arbitrary file write in Mattermost Plugins (versions ≤1.1.5) lets an administrator of a remote, federated Mattermost ser
Mattermost's mmctl command-line administration tool fails to sanitize ANSI and OSC escape sequences embedded in user-gen
Privilege escalation via path traversal in Mattermost collaboration platform allows authenticated users to invoke arbitr
Credential leakage in Mattermost Desktop App versions up to 6.1 and 5.5.13.0 allows authenticated server users to harves
Arbitrary file write in Mattermost via path traversal affects versions 11.6.x ≤ 11.6.1, 11.5.x ≤ 11.5.4, and 10.11.x ≤ 1
Information disclosure in Mattermost Calls plugin versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 expos
Mattermost 10.11.x through 11.3.x fails to validate password length, allowing unauthenticated attackers to trigger denia
Denial of service in Mattermost server (versions 11.6.0, 11.5.0-11.5.3, 11.4.0-11.4.4, and 10.11.0-10.11.14) allows remo
Privilege escalation in Mattermost collaboration platform allows authenticated users holding delegated user-management p
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36503
GHSA-6hxm-w4hv-vgvw