{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4274", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2026-03-16T15:18:50.150Z", "datePublished": "2026-03-26T10:43:24.611Z", "dateUpdated": "2026-03-26T13:58:41.567Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mattermost", "vendor": "Mattermost", "versions": [{"lessThanOrEqual": "11.2.2", "status": "affected", "version": "11.2.0", "versionType": "semver"}, {"lessThanOrEqual": "10.11.10", "status": "affected", "version": "10.11.0", "versionType": "semver"}, {"lessThanOrEqual": "11.4.0", "status": "affected", "version": "11.4.0", "versionType": "semver"}, {"lessThanOrEqual": "11.3.1", "status": "affected", "version": "11.3.0", "versionType": "semver"}, {"version": "11.5.0", "status": "unaffected"}, {"version": "11.2.3", "status": "unaffected"}, {"version": "10.11.11", "status": "unaffected"}, {"version": "11.4.1", "status": "unaffected"}, {"version": "11.3.2", "status": "unaffected"}]}], "credits": [{"lang": "en", "type": "finder", "value": "daw10"}], "descriptions": [{"lang": "en", "value": "Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to restrict team-level access when processing membership sync from a remote cluster, which allows a malicious remote cluster to grant a user access to an entire private team instead of only the shared channel via sending crafted membership sync messages that trigger team membership assignment. Mattermost Advisory ID: MMSA-2026-00574"}], "metrics": [{"cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseSeverity": "MEDIUM", "baseScore": 5.4}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-863: Incorrect Authorization", "cweId": "CWE-863"}]}], "references": [{"url": "https://mattermost.com/security-updates", "name": "MMSA-2026-00574", "tags": ["vendor-advisory"]}], "solutions": [{"value": "Update Mattermost to versions 11.5.0, 11.2.3, 10.11.11, 11.4.1, 11.3.2 or higher.", "lang": "en"}], "source": {"advisory": "MMSA-2026-00574", "defect": ["https://mattermost.atlassian.net/browse/MM-67099"], "discovery": "EXTERNAL"}, "title": "Insufficient authorization in shared channel membership sync grants team-level access instead of channel-level access", "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2026-03-26T10:43:24.611Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T13:58:33.420989Z", "id": "CVE-2026-4274", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T13:58:41.567Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4274", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2026-03-16T15:18:50.150Z", "datePublished": "2026-03-26T10:43:24.611Z", "dateUpdated": "2026-03-26T13:58:41.567Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mattermost", "vendor": "Mattermost", "versions": [{"lessThanOrEqual": "11.2.2", "status": "affected", "version": "11.2.0", "versionType": "semver"}, {"lessThanOrEqual": "10.11.10", "status": "affected", "version": "10.11.0", "versionType": "semver"}, {"lessThanOrEqual": "11.4.0", "status": "affected", "version": "11.4.0", "versionType": "semver"}, {"lessThanOrEqual": "11.3.1", "status": "affected", "version": "11.3.0", "versionType": "semver"}, {"version": "11.5.0", "status": "unaffected"}, {"version": "11.2.3", "status": "unaffected"}, {"version": "10.11.11", "status": "unaffected"}, {"version": "11.4.1", "status": "unaffected"}, {"version": "11.3.2", "status": "unaffected"}]}], "credits": [{"lang": "en", "type": "finder", "value": "daw10"}], "descriptions": [{"lang": "en", "value": "Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to restrict team-level access when processing membership sync from a remote cluster, which allows a malicious remote cluster to grant a user access to an entire private team instead of only the shared channel via sending crafted membership sync messages that trigger team membership assignment. Mattermost Advisory ID: MMSA-2026-00574"}], "metrics": [{"cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseSeverity": "MEDIUM", "baseScore": 5.4}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-863: Incorrect Authorization", "cweId": "CWE-863"}]}], "references": [{"url": "https://mattermost.com/security-updates", "name": "MMSA-2026-00574", "tags": ["vendor-advisory"]}], "solutions": [{"value": "Update Mattermost to versions 11.5.0, 11.2.3, 10.11.11, 11.4.1, 11.3.2 or higher.", "lang": "en"}], "source": {"advisory": "MMSA-2026-00574", "defect": ["https://mattermost.atlassian.net/browse/MM-67099"], "discovery": "EXTERNAL"}, "title": "Insufficient authorization in shared channel membership sync grants team-level access instead of channel-level access", "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2026-03-26T10:43:24.611Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4274", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T13:58:33.420989Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T13:58:36.760Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to restrict team-level access when processing membership sync from a remote cluster, which allows a malicious remote cluster to grant a user access to an entire private team instead of only the shared channel via sending crafted membership sync messages that trigger team membership assignment. Mattermost Advisory ID: MMSA-2026-00574"}], "id": "CVE-2026-4274", "lastModified": "2026-03-26T11:16:21.257", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}, "published": "2026-03-26T11:16:21.257", "references": [{"source": "responsibledisclosure@mattermost.com", "url": "https://mattermost.com/security-updates"}], "sourceIdentifier": "responsibledisclosure@mattermost.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-26T12:21:15.044016+00:00", "value": {"mitigation_remediation": ["Apply the official Mattermost patch: upgrade to version 11.5.0 or later, 11.2.3 or later, 10.11.11 or later, 11.4.1 or later, or 11.3.2 or later.", "Verify that your cluster does not accept untrusted remote sync messages by restricting federation settings.", "Validate current team membership to ensure no unauthorized users are present.", "Monitor logs for unexpected membership changes or sync activity from unknown clusters."], "summary": {"action": "Patch Now", "impact": "Privilege Escalation to Full Team Access"}, "threat_synthesis": {"affected_systems": "Mattermost versions 11.2.x up to 11.2.2, 10.11.x up to 10.11.10, 11.4.x up to 11.4.0, and 11.3.x up to 11.3.1 are affected.", "description_and_impact": "The vulnerability stems from inadequate authorization checks in the shared channel membership synchronization process. Crafting membership sync messages from a remote cluster can cause Mattermost to grant a user full access to a private team, rather than limiting them to a single shared channel. This elevation of privileges permits an attacker to read, modify, or delete any data within the entire team namespace. The weakness aligns with CWE\u2011863, an authorization bypass through insufficient privileges.", "risk_and_exploitability": "The CVSS score of 5.4 indicates a medium severity risk. No EPSS score is available and the vulnerability is not listed in the KEV catalog, suggesting no widespread exploitation yet. However, the attack vector is mainly via a malicious remote cluster that sends specially crafted sync messages, which can be performed over the network without authentication to the target cluster, allowing the attacker to elevate privileges. Assuming such a cluster exists, the risk could be significant."}}}}, "created": "2026-03-26T13:54:53.867469+00:00", "updated": "2026-03-26T13:54:53.867493+00:00", "vendors": []}