CVE-2026-0999

MEDIUM

Mattermost 11.1.x-11.1.2 - Auth Bypass

Title source: llm

Description

Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate login method restrictions which allows an authenticated user to bypass SSO-only login requirements via userID-based authentication. Mattermost Advisory ID: MMSA-2025-00548

References (1)

[Various Sources] https://mattermost.com/security-updates

Scores

CVSS v3 5.4

EPSS 0.0005

EPSS Percentile 15.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-303

Status published

Products (3)

mattermost/mattermost 0 - 8.0.0-20251212052346-61651b0df7eaGo

mattermost/mattermost-server 11.1.0Go

mattermost/mattermost_server 10.11.0 - 10.11.10

Published Feb 16, 2026

Tracked Since Feb 18, 2026