CVE-2026-0999 - Vulnerability Details

- Authentication bypass via userID login when email and username login are disabled

Description

Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate login method restrictions which allows an authenticated user to bypass SSO-only login requirements via userID-based authentication. Mattermost Advisory ID: MMSA-2025-00548

Published: 2026-02-16

Score: 5.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Mattermost versions 10.11.x through 10.11.9, 11.1.x through 11.1.2, and 11.2.x through 11.2.1 fail to properly validate login method restrictions. This allows an authenticated user to bypass the SSO‑only login requirement via a userID‑based authentication attempt. The resulting privilege escalation grants the attacker unauthorized access that would normally be prevented by single sign‑on enforcement, constituting an authentication bypass flaw based on CWE‑303.

Affected Systems

The vulnerability impacts Mattermost server deployments running any of the following: version 10.11.0 up to 10.11.9, 11.1.0 up to 11.1.2, or 11.2.0 up to 11.2.1. Users of older or newer minor releases are not affected.

Risk and Exploitability

The CVSS v3.1 score is 5.4, reflecting medium impact. EPSS indicates a very low exploitation probability (<1%). The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector requires an attacker to possess valid user credentials; after authentication, they can choose a userID login instead of the enforced SSO path, bypassing the restriction. The risk is moderate, with limited scope to the authenticated context but significant because it removes the guardrail provided by SSO.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Mattermost

unaffected

Version	Status	Constraints
`11.1.0`	affected	≤ 11.1.2
`10.11.0`	affected	≤ 10.11.9
`11.2.0`	affected	≤ 11.2.1
`11.3.0`	unaffected	—
`11.1.3`	unaffected	—
`10.11.10`	unaffected	—
`11.2.2`	unaffected	—

Configuration 1 [-]

OR	cpe:2.3:a:mattermost:mattermost_server::::::::
	cpe:2.3:a:mattermost:mattermost_server::::::::
	cpe:2.3:a:mattermost:mattermost_server::::::::

No data.

Vendor Product Confidence Versions

Mattermost

—

Version	Status	Scheme	Platform
`[11.1.0,11.1.2]`	affected	semver	—
`[10.11.0,10.11.9]`	affected	semver	—
`[11.2.0,11.2.1]`	affected	semver	—
`11.3.0`	unaffected	semver	—
`11.1.3`	unaffected	semver	—
`10.11.10`	unaffected	semver	—
`11.2.2`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Update Mattermost to versions 11.3.0, 11.1.3, 10.11.10, 11.2.2 or higher.

OpenCVE Recommended Actions

Update Mattermost to version 11.3.0, 11.1.3, 10.11.10, 11.2.2 or higher.
Confirm that SSO‑only authentication restrictions are active in the Mattermost configuration and disable userID login where possible.
Require multifactor authentication for all user accounts to limit the impact of an authenticated user who bypasses SSO.

Generated by OpenCVE AI on April 17, 2026 at 19:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-3c9r-7f29-qp32	Mattermost fails to properly validate login method restrictions

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00052.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://mattermost.com/security-updates

History

Wed, 18 Feb 2026 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mattermost mattermost Server
CPEs		cpe:2.3:a:mattermost:mattermost_server::::::::
Vendors & Products		Mattermost mattermost Server

Tue, 17 Feb 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 16 Feb 2026 12:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mattermost Mattermost mattermost
Vendors & Products		Mattermost Mattermost mattermost

Mon, 16 Feb 2026 10:00:00 +0000

Type	Values Removed	Values Added
Description		Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate login method restrictions which allows an authenticated user to bypass SSO-only login requirements via userID-based authentication. Mattermost Advisory ID: MMSA-2025-00548
Title		Authentication bypass via userID login when email and username login are disabled
Weaknesses		CWE-303
References		https://mattermost.com/security-updates
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}`

Subscriptions

Mattermost Mattermost Mattermost Server

MITRE

Status: PUBLISHED

Assigner: Mattermost

Published: 2026-02-16T09:47:45.960Z

Updated: 2026-02-17T16:53:07.181Z

Reserved: 2026-01-15T15:59:41.357Z

Link: CVE-2026-0999

Vulnrichment

Updated: 2026-02-17T16:53:03.665Z

NVD

Status : Analyzed

Published: 2026-02-16T10:16:08.140

Modified: 2026-02-18T20:20:07.833

Link: CVE-2026-0999

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T19:15:26Z

Weaknesses

CWE-303

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object