Skip to main content

Mattermost EUVDEUVD-2026-36503

| CVE-2026-7387 HIGH
Incorrect Authorization (CWE-863)
2026-06-12 Mattermost GHSA-6hxm-w4hv-vgvw
8.8
CVSS 3.1 · Vendor: Mattermost
Share

Severity by source

Vendor (Mattermost) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Remotely callable API (AV:N/AC:L), requires an authenticated user with delegated group-link permission (PR:L), no user interaction, and admin escalation yields full C/I/A on the workspace.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Mattermost).

CVSS VectorVendor: Mattermost

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 12, 2026 - 17:31 vuln.today

DescriptionCVE.org

Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 Mattermost fails to require role-management authorization when setting the scheme_admin flag on group syncable link and patch endpoints, which allows a user with group-link permissions to escalate themselves and group members to team or channel admin via crafted API requests.. Mattermost Advisory ID: MMSA-2026-00665

AnalysisAI

Privilege escalation in Mattermost server (11.6.x, 11.5.x, and 10.11.x branches) allows a low-privileged user holding group-link permissions to promote themselves or other group members to team or channel administrator by setting the scheme_admin flag through group syncable link and patch API endpoints. The flaw stems from missing role-management authorization checks, and with a CVSS of 8.8 (network, low complexity, low privileges) it enables tenant-wide takeover of collaboration workspaces; no public exploit identified at time of analysis.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Authenticate as group-link delegated user
Delivery
Enumerate linked group syncables via API
Exploit
Send crafted PATCH with scheme_admin=true
Install
Bypass missing role authorization check
C2
Inherit team/channel admin role
Execute
Access private channels and integration tokens
Impact
Exfiltrate data and pivot

Vulnerability AssessmentAI

Exploitation The attacker must hold a valid Mattermost user session with group-link management permissions (manage_team_groups or manage_channel_groups) on at least one target team or channel, and the deployment must have group syncables in use - typically meaning LDAP/AD or SAML group sync is enabled and groups have been linked to teams or channels. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H accurately captures a remotely reachable, low-complexity authenticated escalation with full confidentiality, integrity, and availability impact on the workspace. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained or been granted a Mattermost account with group-link permissions (for example a delegated group manager or a phished mid-level user) sends a crafted PUT or POST request to a group syncable link or patch endpoint with scheme_admin set to true, naming themselves or an attacker-controlled group. The server skips the role-management authorization check and writes the elevated role, after which the attacker (and every member of the linked group) becomes team or channel admin and can read private channels, exfiltrate files, alter integrations, and pivot via webhook or slash-command tokens. …
Remediation Patch available per vendor advisory MMSA-2026-00665 at https://mattermost.com/security-updates - upgrade to the fixed release on your branch (post-11.6.1 for the 11.6 line, post-11.5.4 for 11.5, and post-10.11.16 for 10.11; consult the advisory for the exact fixed build number, which is not enumerated in the input data). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all Mattermost deployments running 10.11.x, 11.5.x, or 11.6.x; audit current users with group-link permissions and their recent activities. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-9354 MEDIUM POC
5.5 May 24

Improper output escaping in NousResearch Hermes Agent versions up to 2026.4.16 allows remote unauthenticated attackers t

CVE-2026-3524 HIGH
8.8 Apr 06

Authorization bypass in Mattermost Plugin Legal Hold versions <=1.1.4 allows authenticated attackers to manipulate legal

CVE-2026-6346 HIGH
8.7 May 18

Mattermost versions up to 11.5.1 expose sensitive credentials in plaintext within support packets due to insufficient sa

CVE-2026-6957 HIGH
8.0 May 27

Arbitrary file write in Mattermost Plugins (versions ≤1.1.5) lets an administrator of a remote, federated Mattermost ser

CVE-2026-3108 HIGH
8.0 Mar 26

Mattermost's mmctl command-line administration tool fails to sanitize ANSI and OSC escape sequences embedded in user-gen

CVE-2026-4858 HIGH
8.0 May 21

Privilege escalation via path traversal in Mattermost collaboration platform allows authenticated users to invoke arbitr

CVE-2026-6517 HIGH
7.7 Jun 15

Credential leakage in Mattermost Desktop App versions up to 6.1 and 5.5.13.0 allows authenticated server users to harves

CVE-2026-6961 HIGH
7.6 Jun 12

Arbitrary file write in Mattermost via path traversal affects versions 11.6.x ≤ 11.6.1, 11.5.x ≤ 11.5.4, and 10.11.x ≤ 1

CVE-2026-6347 HIGH
7.6 May 18

Information disclosure in Mattermost Calls plugin versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 expos

CVE-2026-24458 HIGH
7.5 Mar 16

Mattermost 10.11.x through 11.3.x fails to validate password length, allowing unauthenticated attackers to trigger denia

CVE-2026-5740 HIGH
7.5 May 22

Denial of service in Mattermost server (versions 11.6.0, 11.5.0-11.5.3, 11.4.0-11.4.4, and 10.11.0-10.11.14) allows remo

CVE-2026-6739 HIGH
7.2 Jun 12

Privilege escalation in Mattermost collaboration platform allows authenticated users holding delegated user-management p

Share

EUVD-2026-36503 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy