Description
Mattermost versions 10.11.x <= 10.11.10 fail to validate user's authentication method when processing account auth type switch which allows an authenticated attacker to change account password without confirmation via falsely claiming a different auth provider.. Mattermost Advisory ID: MMSA-2026-00583
Published: 2026-03-16
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Password Change
Action: Patch
AI Analysis

Impact

An authenticated user on a vulnerable Mattermost server can issue a request to the authentication switch endpoint that bypasses the expected confirmation step when changing the account's authentication provider. The flaw allows the attacker to change the account password without prior verification, effectively enabling account takeover. The weakness is classified as CWE‑863 (Improper Authentication).

Affected Systems

Mattermost servers running the 10.11.x release series up to 10.11.10 inclusive are affected. Updated releases of 10.11.11 and any later 10.x or 11.x releases, including 11.4.0 and above, contain the fix. No other products or earlier branches are known to be impacted.

Risk and Exploitability

The CVSS score is 3.1, indicating low severity, and the EPSS score is less than 1%, suggesting a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers must already be authenticated to the target Mattermost instance to exploit the flaw, but once authenticated they can change the password of that account and potentially take over it.

Generated by OpenCVE AI on March 18, 2026 at 15:38 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.4.0, 10.11.11 or higher.

OpenCVE Recommended Actions

  • Update Mattermost to version 10.11.11 or 11.4.0 or later

Generated by OpenCVE AI on March 18, 2026 at 15:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rv67-7w2g-7976 Mattermost fails to validate user's authentication method when processing account auth type switch
References
Link Providers
https://mattermost.com/security-updates cve-icon cve-icon
History

Wed, 18 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost mattermost Server
CPEs cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
Vendors & Products Mattermost mattermost Server

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Mon, 16 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Description Mattermost versions 10.11.x <= 10.11.10 fail to validate user's authentication method when processing account auth type switch which allows an authenticated attacker to change account password without confirmation via falsely claiming a different auth provider.. Mattermost Advisory ID: MMSA-2026-00583
Title Password Change Bypass via Auth Switch Endpoint
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Mattermost Mattermost Mattermost Server
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-03-16T18:15:37.142Z

Reserved: 2026-02-13T10:01:31.957Z

Link: CVE-2026-22545

cve-icon Vulnrichment

Updated: 2026-03-16T18:15:31.615Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T15:16:21.123

Modified: 2026-03-18T13:54:31.227

Link: CVE-2026-22545

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:44:17Z

Weaknesses