Description
Mattermost versions 10.11.x <= 10.11.10 fail to properly validate permission requirements in the team member roles API endpoint which allows team administrators to demote members to guest role. Mattermost Advisory ID: MMSA-2025-00531
Published: 2026-03-16
Score: 3.8 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized privilege downgrade by team administrators
Action: Patch
AI Analysis

Impact

Mattermost server versions 10.11.x up to 10.11.10 contain a flaw where the team member roles API endpoint does not properly enforce permission checks. This allows a user who holds a team administrator role to issue API calls that demote any team member to the Guest role. The primary impact is a unilateral reduction of a member’s privileges, potentially disrupting collaboration and workflow. The vulnerability is related to CWE-863, reflecting improper authorization control over role assignment.

Affected Systems

The affected product is Mattermost Server. Version 10.11.0 through 10.11.10 are impacted. The vendor’s advisory recommends upgrading to 10.11.11 or newer, or to 11.4.0 or newer. No other vendors or product lines are listed in the data.

Risk and Exploitability

The CVSS score is 3.8, indicating moderate severity. The EPSS score is below 1%, suggesting a low probability of exploitation. The issue is not listed in the CISA KEV catalog, implying it has not been observed in high-profile exploitation. Exploitation requires authenticated access with team administrator privileges; an authenticated attacker can simply call the API endpoint with the appropriate parameters to demote a member to Guest. The attack vector is therefore internal by authorized users, and the risk is moderate due to the limited impact of privilege reduction and low external exploitability.

Generated by OpenCVE AI on March 18, 2026 at 15:26 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.4.0, 10.11.11 or higher.

OpenCVE Recommended Actions

  • Apply the vendor patch to upgrade Mattermost Server to version 10.11.11 or newer, or to 11.4.0 or newer.

Generated by OpenCVE AI on March 18, 2026 at 15:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://mattermost.com/security-updates cve-icon cve-icon
History

Wed, 18 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost mattermost Server
CPEs cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
Vendors & Products Mattermost mattermost Server

Tue, 17 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Mon, 16 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Description Mattermost versions 10.11.x <= 10.11.10 fail to properly validate permission requirements in the team member roles API endpoint which allows team administrators to demote members to guest role. Mattermost Advisory ID: MMSA-2025-00531
Title Team Admin Privilege Escalation to Demote Members to Guest
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 3.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Mattermost Mattermost Mattermost Server
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-03-17T13:37:17.914Z

Reserved: 2026-02-13T10:39:47.088Z

Link: CVE-2026-26230

cve-icon Vulnrichment

Updated: 2026-03-17T13:37:14.472Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T21:16:33.480

Modified: 2026-03-18T13:56:13.130

Link: CVE-2026-26230

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:49:48Z

Weaknesses