PT-2026-25813 · Mattermost · Mattermost

Hackit_Bharat

Published

2026-02-13

Updated

2026-03-17

CVE-2026-26230

CVSS v2.0

5.5

Medium

Vector

AV:N/AC:L/Au:S/C:P/I:P/A:N

Name of the Vulnerable Software and Affected Versions Mattermost versions 10.11.0 through 10.11.10

Description Mattermost versions 10.11.x up to and including 10.11.10 do not correctly validate permission requirements in the team member roles API endpoint. This allows team administrators to demote members to a guest role. The affected API endpoint is '/api/v1/teams/{team id}/members/{user id}/roles', where team id and user id are vulnerable parameters.

Recommendations Update Mattermost to a version later than 10.11.10.

Fix

LPE

Improper Access Control

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284CWE-863

Related Identifiers

BDU:2026-06556

CVE-2026-26230

Affected Products

Mattermost

PT-2026-25813 · Mattermost · Mattermost

CVE-2026-26230

Weakness Enumeration

Related Identifiers

Affected Products

References · 6