{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27659", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2026-02-23T22:18:41.203Z", "datePublished": "2026-03-25T16:33:32.724Z", "dateUpdated": "2026-03-25T17:39:28.092Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mattermost", "vendor": "Mattermost", "versions": [{"lessThanOrEqual": "11.2.2", "status": "affected", "version": "11.2.0", "versionType": "semver"}, {"lessThanOrEqual": "10.11.10", "status": "affected", "version": "10.11.0", "versionType": "semver"}, {"lessThanOrEqual": "11.4.0", "status": "affected", "version": "11.4.0", "versionType": "semver"}, {"lessThanOrEqual": "11.3.1", "status": "affected", "version": "11.3.0", "versionType": "semver"}, {"version": "11.5.0", "status": "unaffected"}, {"version": "11.2.3", "status": "unaffected"}, {"version": "10.11.11", "status": "unaffected"}, {"version": "11.4.1", "status": "unaffected"}, {"version": "11.3.2", "status": "unaffected"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Joshua Rogers"}], "descriptions": [{"lang": "en", "value": "Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to properly validate CSRF tokens in the /api/v4/access_control_policies/{policy_id}/activate endpoint, which allows an attacker to trick an admin into changing access control policy active status via a crafted request.. Mattermost Advisory ID: MMSA-2026-00578"}], "metrics": [{"cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "baseSeverity": "MEDIUM", "baseScore": 4.6}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352"}]}], "references": [{"url": "https://mattermost.com/security-updates", "name": "MMSA-2026-00578", "tags": ["vendor-advisory"]}], "solutions": [{"value": "Update Mattermost to versions 11.5.0, 11.2.3, 10.11.11, 11.4.1, 11.3.2 or higher.", "lang": "en"}], "source": {"advisory": "MMSA-2026-00578", "defect": ["https://mattermost.atlassian.net/browse/MM-67125"], "discovery": "EXTERNAL"}, "title": "CSRF vulnerability in UpdateAccessControlPolicyActiveStatus endpoint", "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2026-03-25T16:33:32.724Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T17:39:20.789294Z", "id": "CVE-2026-27659", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T17:39:28.092Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27659", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T17:39:20.789294Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T17:39:23.992Z"}}], "cna": {"title": "CSRF vulnerability in UpdateAccessControlPolicyActiveStatus endpoint", "source": {"defect": ["https://mattermost.atlassian.net/browse/MM-67125"], "advisory": "MMSA-2026-00578", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Joshua Rogers"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Mattermost", "product": "Mattermost", "versions": [{"status": "affected", "version": "11.2.0", "versionType": "semver", "lessThanOrEqual": "11.2.2"}, {"status": "affected", "version": "10.11.0", "versionType": "semver", "lessThanOrEqual": "10.11.10"}, {"status": "affected", "version": "11.4.0", "versionType": "semver", "lessThanOrEqual": "11.4.0"}, {"status": "affected", "version": "11.3.0", "versionType": "semver", "lessThanOrEqual": "11.3.1"}, {"status": "unaffected", "version": "11.5.0"}, {"status": "unaffected", "version": "11.2.3"}, {"status": "unaffected", "version": "10.11.11"}, {"status": "unaffected", "version": "11.4.1"}, {"status": "unaffected", "version": "11.3.2"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update Mattermost to versions 11.5.0, 11.2.3, 10.11.11, 11.4.1, 11.3.2 or higher."}], "references": [{"url": "https://mattermost.com/security-updates", "name": "MMSA-2026-00578", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to properly validate CSRF tokens in the /api/v4/access_control_policies/{policy_id}/activate endpoint, which allows an attacker to trick an admin into changing access control policy active status via a crafted request.. Mattermost Advisory ID: MMSA-2026-00578"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352: Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2026-03-25T16:33:32.724Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27659", "state": "PUBLISHED", "dateUpdated": "2026-03-25T17:39:28.092Z", "dateReserved": "2026-02-23T22:18:41.203Z", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "datePublished": "2026-03-25T16:33:32.724Z", "assignerShortName": "Mattermost"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to properly validate CSRF tokens in the /api/v4/access_control_policies/{policy_id}/activate endpoint, which allows an attacker to trick an admin into changing access control policy active status via a crafted request.. Mattermost Advisory ID: MMSA-2026-00578"}], "id": "CVE-2026-27659", "lastModified": "2026-03-26T15:13:15.790", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 2.5, "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}, "published": "2026-03-25T17:16:56.977", "references": [{"source": "responsibledisclosure@mattermost.com", "url": "https://mattermost.com/security-updates"}], "sourceIdentifier": "responsibledisclosure@mattermost.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[11.2.0,11.2.2]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[10.11.0,10.11.10]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[11.4.0,11.4.0]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[11.3.0,11.3.1]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[11.5.0,11.5.0]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[11.2.3,11.2.3]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[10.11.11,10.11.11]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[11.4.1,11.4.1]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[11.3.2,11.3.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Mattermost", "source": "cna", "vendor": "Mattermost"}, "product": "mattermost", "vendor": "mattermost"}], "analysis": {"en": {"generated_at": "2026-03-25T18:25:25.240125+00:00", "value": {"mitigation_remediation": ["Update Mattermost to versions 11.5.0, 11.2.3, 10.11.11, 11.4.1, 11.3.2 or higher."], "summary": {"action": "Apply patch", "impact": "Unauthorized administrative change"}, "threat_synthesis": {"affected_systems": "Mattermost servers running any of the following versions are affected: 10.11.x through 10.11.10, 11.2.x through 11.2.2, 11.3.x through 11.3.1, and 11.4.x through 11.4.0.", "description_and_impact": "An unvalidated CSRF token check in the UpdateAccessControlPolicyActiveStatus endpoint allows an attacker to trick an authenticated administrator into altering the active status of an access control policy. This unauthorized change can enable the attacker to modify which users are allowed to access services, potentially granting elevated privileges or disabling security controls. The weakness is a cross\u2011site request forgery flaw identified as CWE\u2011352.", "risk_and_exploitability": "With a CVSS score of 4.6, the vulnerability is considered medium severity. The EPSS score is unavailable, and it is not listed in the CISA KEV catalog, suggesting limited evidence of widespread exploitation. The attack vector is inferred from the nature of CSRF: a malicious third\u2011party page can send a crafted request to the vulnerable endpoint while an admin\u2019s browser is authenticated, allowing privilege escalation by changing policy settings."}}}}, "created": "2026-03-25T21:46:56.226023+00:00", "updated": "2026-03-26T11:34:38.713871+00:00", "vendors": ["mattermost", "mattermost$PRODUCT$mattermost"]}