CVE Catalog

CVE-2026-7387

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.30%

21th percentile - higher than 21% of all known CVEs

Summary

Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, and 10.11.x <= 10.11.16 fail to require role-management authorization when setting the scheme_admin flag on group syncable link and patch endpoints, allowing a user with group-link permissions to escalate themselves and group members to team or channel admin via crafted API requests.

Risk Assessment

The lack of proper authorization may lead to unauthorized access to administrative functions, posing a serious security threat to the organization.

Recommendation

It is recommended to update Mattermost to the latest version to mitigate this vulnerability and implement additional authorization mechanisms for role management operations.

Original NVD description (English source)

Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 Mattermost fails to require role-management authorization when setting the scheme_admin flag on group syncable link and patch endpoints, which allows a user with group-link permissions to escalate themselves and group members to team or channel admin via crafted API requests.. Mattermost Advisory ID: MMSA-2026-00665

Vulnerability data from NVD (NIST) · CISA KEV · EPSS