CVE Catalog

CVE-2026-8074

LowCVSS 3.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.19%

9th percentile — higher than 9% of all known CVEs

Summary

Mattermost versions 11.7.x up to 11.7.0 and 10.11.x up to 10.11.17 fail to enforce bot-specific permission checks on the user active status endpoint. This allows a User Manager with user management write access but no Integrations access to deactivate bot accounts via the PUT /api/v4/users/{id}/active API endpoint.

Risk Assessment

The organization may be exposed to unauthorized deactivation of bot accounts, which could affect application functionality and trust in the user management system.

Recommendation

It is recommended to upgrade to the latest version of Mattermost to ensure proper enforcement of bot permission checks and minimize the risk of unauthorized actions.

Original NVD description (English source)

Mattermost versions 11.7.x <= 11.7.0, 10.11.x <= 10.11.17 fail to enforce bot-specific permission checks on the user active status endpoint, which allows a User Manager with user management write access but no Integrations access to deactivate bot accounts via the PUT /api/v4/users/{id}/active API endpoint.. Mattermost Advisory ID: MMSA-2026-00667

Vulnerability data from NVD (NIST) · CISA KEV · EPSS