CVE-2026-27659

Name of the Vulnerable Software and Affected Versions Mattermost versions 11.2.x through 11.2.2 Mattermost versions 10.11.x through 10.11.10 Mattermost versions 11.4.x through 11.4.0 Mattermost versions 11.3.x through 11.3.1

Description The software does not properly validate Cross-Site Request Forgery (CSRF) tokens. This allows an attacker to potentially trick an administrator into modifying the active status of access control policies through a specially crafted request. The issue affects the /api/v4/access control policies/{policy id}/activate API endpoint, where {policy id} represents a vulnerable parameter.

Recommendations Update Mattermost to a version later than 11.2.2. Update Mattermost to a version later than 10.11.10. Update Mattermost to a version later than 11.4.0. Update Mattermost to a version later than 11.3.1.