CVE-2026-26230

LOW

Team Admin Privilege Escalation to Demote Members to Guest

Title source: cna

Description

Mattermost versions 10.11.x <= 10.11.10 fail to properly validate permission requirements in the team member roles API endpoint which allows team administrators to demote members to guest role. Mattermost Advisory ID: MMSA-2025-00531

References (1)

[Vendor Advisory] https://mattermost.com/security-updates

Scores

CVSS v3 3.8

EPSS 0.0003

EPSS Percentile 10.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

Details

CWE

CWE-863

Status published

Products (4)

Mattermost/Mattermost 10.11.0 - 10.11.10

Mattermost/Mattermost 10.11.11

Mattermost/Mattermost 11.4.0

mattermost/mattermost_server 10.11.0 - 10.11.11

Published Mar 16, 2026

Tracked Since Mar 17, 2026