EUVD-2026-38248
GHSA-g5vr-6pgg-74qv
Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L
Requires authenticated User Manager role with explicit write access (PR:H); no confidentiality loss; limited integrity and availability impact confined to bot account deactivation.
Primary rating from Vendor (Mattermost).
CVSS VectorVendor: Mattermost
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Mattermost versions 11.7.x <= 11.7.0, 10.11.x <= 10.11.17 fail to enforce bot-specific permission checks on the user active status endpoint, which allows a User Manager with user management write access but no Integrations access to deactivate bot accounts via the PUT /api/v4/users/{id}/active API endpoint.. Mattermost Advisory ID: MMSA-2026-00667
AnalysisAI
{id}/active endpoint despite lacking the Integrations permission required to manage bots. The server fails to apply bot-specific permission checks at this endpoint, accepting the deactivation request based solely on user management write access. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to be authenticated to the Mattermost instance and hold a User Manager role with user management write access explicitly granted by a system administrator - this is not a default role assignment. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS 3.8 (Low) with vector AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L accurately characterizes the constrained real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated Mattermost user holding the User Manager role enumerates bot account user IDs in the workspace - possible via the users listing API available to their role - and then issues a PUT /api/v4/users/{bot_user_id}/active HTTP request with a JSON body of {"active": false}. The server processes the request without checking for Integrations permissions, deactivates the bot, and any automated pipelines or webhook integrations relying on that bot account stop functioning. … |
| Remediation | The primary remediation is to upgrade Mattermost to a patched release as directed by the vendor advisory MMSA-2026-00667 at https://mattermost.com/security-updates; exact fixed version numbers are not enumerated in the available input data and must be confirmed directly from that advisory. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Subscription hijacking in Mattermost allows authenticated low-privileged users to take control of subscriptions belongin
Missing authentication on the Atlassian Connect install callback in Mattermost allows a remote attacker to inject a rogu
The /gitlab connect slash command in Mattermost fails to enforce administrator-level authorization on the setDefaultInst
WebSocket session persistence in Mattermost allows authenticated users whose sessions have been globally revoked to bypa
Incorrect authorization in Mattermost's demote-user API allows a lower-privileged administrator to degrade arbitrary bot
Share
External POC / Exploit Code
Leaving vuln.today