Impact
The flaw resides in the user active status endpoint, where a bot‑specific permission check is omitted. A User Manager with user‑management write access but no integrations privileges can disable bot accounts by sending a PUT request to /api/v4/users/{id}/active. This lack of authorization verification lets an attacker stop automated notifications, integrations, or monitoring services, but does not provide broader system compromise. The weakness is a failure of correct access control, identified as CWE‑863.
Affected Systems
Mattermost is affected in its 11.7.x releases up to 11.7.0 and its 10.11.x releases up to 10.11.17. Updating to 11.8.0, 11.7.1, 10.11.18 or later removes the vulnerability.
Risk and Exploitability
The CVSS score of 3.8 indicates a low severity issue. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires that the actor already holds legitimate User Manager write permissions, typically limited to internal administrators. Consequently the attack vector is likely internal, and once exercised, the impact is confined to the disabling of bot accounts rather than a broader compromise.
OpenCVE Enrichment