CVE-2026-27659

MEDIUM

CSRF vulnerability in UpdateAccessControlPolicyActiveStatus endpoint

Title source: cna

Description

Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to properly validate CSRF tokens in the /api/v4/access_control_policies/{policy_id}/activate endpoint, which allows an attacker to trick an admin into changing access control policy active status via a crafted request.. Mattermost Advisory ID: MMSA-2026-00578

References (1)

[Vendor Advisory] https://mattermost.com/security-updates

Scores

CVSS v3 4.6

EPSS 0.0003

EPSS Percentile 7.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-352

Status published

Products (11)

Mattermost/Mattermost 10.11.0 - 10.11.10

Mattermost/Mattermost 10.11.11

Mattermost/Mattermost 11.2.0 - 11.2.2

Mattermost/Mattermost 11.2.3

Mattermost/Mattermost 11.3.0 - 11.3.1

Mattermost/Mattermost 11.3.2

Mattermost/Mattermost 11.4.0

mattermost/mattermost 11.4.0-rc1 - 11.4.1Go

Mattermost/Mattermost 11.4.1

Mattermost/Mattermost 11.5.0

... and 1 more

Published Mar 25, 2026

Tracked Since Mar 25, 2026