CVE-2026-8074

LOW EPSS 9.0%

Published Jun 22, 20261w ago · Modified Jun 23, 20266d ago

3.8 CVSS 3.1

Low

Published Jun 22, 2026 1w ago

Last Modified Jun 23, 2026 6d ago

Description

Mattermost versions 11.7.x <= 11.7.0, 10.11.x <= 10.11.17 fail to enforce bot-specific permission checks on the user active status endpoint, which allows a User Manager with user management write access but no Integrations access to deactivate bot accounts via the PUT /api/v4/users/{id}/active API endpoint.. Mattermost Advisory ID: MMSA-2026-00667

CVSS Details

Base Score

3.8

Exploitability

1.2

Impact

2.5

Vector string

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L

Attack Vector Network

Attack Complexity Low

Privileges Required High

User Interaction None

Scope Unchanged

Confidentiality None

Integrity Low

Availability Low

Threat Intelligence

EPSS Exploit Probability

9.0% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-863 Incorrect Authorization Authorization

Affected Products 2

Vendor	Product	Version	Range
mattermost	mattermost_server	*	≥10.11.0 – <10.11.18
mattermost	mattermost_server	*	≥11.7.0 – <11.7.1

References 1

mattermost.com https://mattermost.com/security-updates

Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.