CVE-2026-7387
HighCVSS 8.8Exploitation Probability (EPSS)
Low risk21th percentile - higher than 21% of all known CVEs
Summary
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, and 10.11.x <= 10.11.16 fail to require role-management authorization when setting the scheme_admin flag on group syncable link and patch endpoints, allowing a user with group-link permissions to escalate themselves and group members to team or channel admin via crafted API requests.
Risk Assessment
The lack of proper authorization may lead to unauthorized access to administrative functions, posing a serious security threat to the organization.
Recommendation
It is recommended to update Mattermost to the latest version to mitigate this vulnerability and implement additional authorization mechanisms for role management operations.
Original NVD description (English source)
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 Mattermost fails to require role-management authorization when setting the scheme_admin flag on group syncable link and patch endpoints, which allows a user with group-link permissions to escalate themselves and group members to team or channel admin via crafted API requests.. Mattermost Advisory ID: MMSA-2026-00665

