CVE-2024-4198

LOW

Mattermost 8.1.0-8.1.11 9.5.0-9.5.2 9.6.0 - Authenticated Role Demotion via Crafted HTTP Requests

Title source: llm

Description

Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes which allows an attacker authenticated as team admin to demote users to guest via crafted HTTP requests.

References (1)

Core 1

Core References

Vendor Advisory

https://mattermost.com/security-updates

Scores

CVSS v3 2.7

EPSS 0.0014

EPSS Percentile 33.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-284

Status published

Products (3)

mattermost/mattermost-server 9.6.0-rc1 - 9.6.1Go

mattermost/mattermost_server 9.6.0 (4 CPE variants)

mattermost/mattermost_server 8.1.0 - 8.1.12

Published Apr 26, 2024

Tracked Since Feb 18, 2026