Description
Mattermost versions 11.7.x <= 11.7.0, 10.11.x <= 10.11.17 fail to enforce bot-specific permission checks on the user active status endpoint, which allows a User Manager with user management write access but no Integrations access to deactivate bot accounts via the PUT /api/v4/users/{id}/active API endpoint.. Mattermost Advisory ID: MMSA-2026-00667
Published: 2026-06-22
Score: 3.8 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in the user active status endpoint, where a bot‑specific permission check is omitted. A User Manager with user‑management write access but no integrations privileges can disable bot accounts by sending a PUT request to /api/v4/users/{id}/active. This lack of authorization verification lets an attacker stop automated notifications, integrations, or monitoring services, but does not provide broader system compromise. The weakness is a failure of correct access control, identified as CWE‑863.

Affected Systems

Mattermost is affected in its 11.7.x releases up to 11.7.0 and its 10.11.x releases up to 10.11.17. Updating to 11.8.0, 11.7.1, 10.11.18 or later removes the vulnerability.

Risk and Exploitability

The CVSS score of 3.8 indicates a low severity issue. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires that the actor already holds legitimate User Manager write permissions, typically limited to internal administrators. Consequently the attack vector is likely internal, and once exercised, the impact is confined to the disabling of bot accounts rather than a broader compromise.

Generated by OpenCVE AI on June 22, 2026 at 14:36 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.8.0, 11.7.1, 10.11.18 or higher.


OpenCVE Recommended Actions

  • Upgrade Mattermost to version 11.8.0, 11.7.1, 10.11.18 or later.
  • Revoke or limit User Manager write access that can deactivate bots, ensuring that only roles with approved integrations permissions can alter bot accounts.
  • After patching, verify that bot accounts remain active and monitor system logs for any unauthorized deactivation attempts.

Generated by OpenCVE AI on June 22, 2026 at 14:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
History

Mon, 22 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Mon, 22 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description Mattermost versions 11.7.x <= 11.7.0, 10.11.x <= 10.11.17 fail to enforce bot-specific permission checks on the user active status endpoint, which allows a User Manager with user management write access but no Integrations access to deactivate bot accounts via the PUT /api/v4/users/{id}/active API endpoint.. Mattermost Advisory ID: MMSA-2026-00667
Title Improper Permission Check Allows User Manager to Deactivate Bot Accounts
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 3.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L'}


Subscriptions

Mattermost Mattermost
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-06-22T15:40:37.392Z

Reserved: 2026-05-07T10:55:28.977Z

Link: CVE-2026-8074

cve-icon Vulnrichment

Updated: 2026-06-22T15:40:32.574Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T16:30:08Z

Weaknesses