Description
Mattermost versions 11.7.x <= 11.7.0, 10.11.x <= 10.11.17 fail to validate bot targets when demoting users to guests which allows a lower-privileged administrator to degrade arbitrary bot accounts via the standard demote-user API.. Mattermost Advisory ID: MMSA-2026-00669
Published: 2026-06-22
Score: 3.8 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In affected Mattermost releases, when an administrator demotes a user to a guest role, the system fails to verify whether the target is a bot account. This flaw allows an administrator lacking explicit bot‑management rights to lower the privileges of any bot, effectively stripping it of its core permissions and disrupting automated workflows. This weakness is classified as CWE‑863: Authorization Bypass Through Legitimate Credentials.

Affected Systems

Versions 11.7.0 or earlier and 10.11.17 or earlier of Mattermost are vulnerable. Versions 11.8.0, 11.7.1, and 10.11.18 or later contain the fix and are not affected.

Risk and Exploitability

The CVSS score of 3.8 marks the issue as low severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, indicating a low likelihood of exploitation. Attackers would need to invoke the standard demote‑user API while authenticated as an administrator, so the vector is an internal, authenticated API call. Because the impact is limited to privilege degradation of bot accounts, the overall risk to organizational security is minimal.

Generated by OpenCVE AI on June 22, 2026 at 16:52 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.8.0, 11.7.1, 10.11.18 or higher.

OpenCVE Recommended Actions

  • Upgrade Mattermost to at least version 11.8.0, 11.7.1, or 10.11.18
  • Restrict the administrators who call the demote-user API by removing bot‑management rights or by applying least‑privilege role assignments
  • Monitor and audit changes to bot accounts, and configure alerts for any role downgrade to the guest level

Generated by OpenCVE AI on June 22, 2026 at 16:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://mattermost.com/security-updates cve-icon
History

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 22 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Mattermost versions 11.7.x <= 11.7.0, 10.11.x <= 10.11.17 fail to validate bot targets when demoting users to guests which allows a lower-privileged administrator to degrade arbitrary bot accounts via the standard demote-user API.. Mattermost Advisory ID: MMSA-2026-00669
Title User Manager can demote bot accounts to guest without bot-management permission
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 3.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-06-22T16:12:31.350Z

Reserved: 2026-05-18T10:05:31.691Z

Link: CVE-2026-8823

cve-icon Vulnrichment

Updated: 2026-06-22T16:12:26.753Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T17:00:06Z

Weaknesses