Description
Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to restrict team-level access when processing membership sync from a remote cluster, which allows a malicious remote cluster to grant a user access to an entire private team instead of only the shared channel via sending crafted membership sync messages that trigger team membership assignment. Mattermost Advisory ID: MMSA-2026-00574
Published: 2026-03-26
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized team access elevation
Action: Patch
AI Analysis

Impact

A malicious remote team can send crafted membership‑synchronization messages that bypass the authorization checks in Mattermost. By exploiting the failure to restrict team‑level permissions during this process, the attacker can grant a user full access to a private team instead of limiting them to a shared channel. This escalation directly compromises the confidentiality and integrity of all data and communications within the affected team.

Affected Systems

Mattermost server releases 11.2.x up to 11.2.2, 10.11.x up to 10.11.10, 11.4.x up to 11.4.0, and 11.3.x up to 11.3.1 are vulnerable whenever they accept membership sync from a remote cluster. All installations of these versions that are configured to sync with external Mattermost clusters are at risk.

Risk and Exploitability

The moderate CVSS score of 5.4 indicates a moderate severity, but the EPSS score of less than 1 percent and absence from the CISA KEV catalog suggest a low likelihood of widespread exploitation at present. Exploitation requires control of a trusted remote cluster or the ability to host a malicious cluster that can send crafted sync messages, making the attack scenario relatively constrained but still capable of elevating a user’s privileges from channel‑level to full team‑level.

Generated by OpenCVE AI on March 26, 2026 at 21:29 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.5.0, 11.2.3, 10.11.11, 11.4.1, 11.3.2 or higher.

OpenCVE Recommended Actions

  • Apply the latest patch by upgrading Mattermost to version 11.5.0, 11.2.3, 10.11.11, 11.4.1, 11.3.2 or higher.
  • If an upgrade is not immediately available, temporarily disable or restrict shared channel membership sync with external clusters until the patch can be applied.

Generated by OpenCVE AI on March 26, 2026 at 21:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://mattermost.com/security-updates cve-icon cve-icon
History

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost mattermost
Vendors & Products Mattermost mattermost

Thu, 26 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost Server
CPEs cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
Vendors & Products Mattermost
Mattermost mattermost Server

Thu, 26 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 11:00:00 +0000

Type Values Removed Values Added
Description Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to restrict team-level access when processing membership sync from a remote cluster, which allows a malicious remote cluster to grant a user access to an entire private team instead of only the shared channel via sending crafted membership sync messages that trigger team membership assignment. Mattermost Advisory ID: MMSA-2026-00574
Title Insufficient authorization in shared channel membership sync grants team-level access instead of channel-level access
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Mattermost Mattermost Mattermost Server
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-03-26T13:58:41.567Z

Reserved: 2026-03-16T15:18:50.150Z

Link: CVE-2026-4274

cve-icon Vulnrichment

Updated: 2026-03-26T13:58:36.760Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T11:16:21.257

Modified: 2026-03-26T18:48:39.737

Link: CVE-2026-4274

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:28:47Z

Weaknesses