CVE-2026-10085

MEDIUM

Ordinary group/direct message member can enable group_constrained and remove all channel participants

Title source: cna
STIX 2.1

Description

Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to restrict the group_constrained channel flag to public and private channels that support group synchronization, which allows an ordinary group or direct message member to remove all participants from the conversation via the channel patch API.. Mattermost Advisory ID: MMSA-2026-00688

References (1)

Core 1
Core References
Vendor Advisory vendor-advisory
MMSA-2026-00688
https://mattermost.com/security-updates

Scores

CVSS v3 5.4
EPSS 0.0017
EPSS Percentile 6.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-862
Status published
Products (7)
Mattermost/Mattermost 10.11.0 - 10.11.19
Mattermost/Mattermost 10.11.20
Mattermost/Mattermost 11.6.0 - 11.6.4
Mattermost/Mattermost 11.6.5
Mattermost/Mattermost 11.7.0 - 11.7.2
Mattermost/Mattermost 11.7.3
Mattermost/Mattermost 11.8.0
Published Jul 13, 2026
Tracked Since Jul 13, 2026