Description
Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to properly validate CSRF tokens in the /api/v4/access_control_policies/{policy_id}/activate endpoint, which allows an attacker to trick an admin into changing access control policy active status via a crafted request.. Mattermost Advisory ID: MMSA-2026-00578
Published: 2026-03-25
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch Now
AI Analysis

Impact

The vulnerability originates from improper CSRF token validation in the /api/v4/access_control_policies/{policy_id}/activate endpoint. An attacker can craft a request that convinces an authenticated administrator to alter the active status of an access control policy. This allows the attacker to enable or disable policies without authorization, potentially changing the intended permissions for users and compromising the integrity of access controls.

Affected Systems

The issue affects Mattermost Server. Versions 11.2.0 through 11.2.2, 10.11.0 through 10.11.10, 11.4.0, and 11.3.0 through 11.3.1 are vulnerable. Updating to the recommended patched releases of 11.5.0, 11.2.3, 10.11.11, 11.4.1, 11.3.2, or later resolves the flaw.

Risk and Exploitability

The CVSS score of 4.6 indicates moderate severity. An EPSS score below 1% and absence from the KEV catalog suggest that exploitation of this flaw is currently unlikely, although the attacker only needs a browser session with an authenticated administrator to carry out the CSRF attack. Consequently, the risk remains moderate, but administrators should consider promptly applying the patch.

Generated by OpenCVE AI on March 26, 2026 at 20:54 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.5.0, 11.2.3, 10.11.11, 11.4.1, 11.3.2 or higher.

OpenCVE Recommended Actions

  • Update Mattermost Server to one of the patched releases 11.5.0, 11.2.3, 10.11.11, 11.4.1, 11.3.2 or later.
  • Monitor Mattermost security advisories and apply any subsequent patches as they are released.

Generated by OpenCVE AI on March 26, 2026 at 20:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rmhw-c3xr-m3xx Mattermost doesn't properly validate CSRF tokens
References
Link Providers
https://mattermost.com/security-updates cve-icon cve-icon
History

Thu, 26 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost mattermost Server
CPEs cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
Vendors & Products Mattermost mattermost Server

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Wed, 25 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to properly validate CSRF tokens in the /api/v4/access_control_policies/{policy_id}/activate endpoint, which allows an attacker to trick an admin into changing access control policy active status via a crafted request.. Mattermost Advisory ID: MMSA-2026-00578
Title CSRF vulnerability in UpdateAccessControlPolicyActiveStatus endpoint
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N'}

Subscriptions

Mattermost Mattermost Mattermost Server
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-03-25T17:39:28.092Z

Reserved: 2026-02-23T22:18:41.203Z

Link: CVE-2026-27659

cve-icon Vulnrichment

Updated: 2026-03-25T17:39:23.992Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T17:16:56.977

Modified: 2026-03-26T18:49:34.053

Link: CVE-2026-27659

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:30:31Z

Weaknesses