CVE-2026-4274

Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to restrict team-level access when processing membership sync from a remote cluster, which allows a malicious remote cluster to grant a user access to an entire private team instead of only the shared channel via sending crafted membership sync messages that trigger team membership assignment. Mattermost Advisory ID: MMSA-2026-00574

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://mattermost.com/security-updates	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:mattermost:mattermost_server::::::::
	cpe:2.3:a:mattermost:mattermost_server::::::::
	cpe:2.3:a:mattermost:mattermost_server::::::::
	cpe:2.3:a:mattermost:mattermost_server::::::::

History

No history.

Information

Published : 2026-03-26 11:16

Updated : 2026-03-26 18:48

NVD link : CVE-2026-4274

Mitre link : CVE-2026-4274

CVE.ORG link : CVE-2026-4274

JSON object : View

Products Affected

mattermost

mattermost_server

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2026-4274", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "responsibledisclosure@mattermost.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.8}]}, "published": "2026-03-26T11:16:21.257", "references": [{"url": "https://mattermost.com/security-updates", "tags": ["Vendor Advisory"], "source": "responsibledisclosure@mattermost.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "responsibledisclosure@mattermost.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to restrict team-level access when processing membership sync from a remote cluster, which allows a malicious remote cluster to grant a user access to an entire private team instead of only the shared channel via sending crafted membership sync messages that trigger team membership assignment. Mattermost Advisory ID: MMSA-2026-00574"}, {"lang": "es", "value": "Versiones de Mattermost 11.2.x hasta 11.2.2, 10.11.x hasta 10.11.10, 11.4.x hasta 11.4.0, 11.3.x hasta 11.3.1 no restringen el acceso a nivel de equipo al procesar la sincronizaci\u00f3n de membres\u00eda desde un cl\u00faster remoto, lo que permite a un cl\u00faster remoto malicioso otorgar a un usuario acceso a un equipo privado completo en lugar de solo al canal compartido mediante el env\u00edo de mensajes de sincronizaci\u00f3n de membres\u00eda manipulados que desencadenan la asignaci\u00f3n de membres\u00eda de equipo. ID de Aviso de Mattermost: MMSA-2026-00574"}], "lastModified": "2026-03-26T18:48:39.737", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B6E5F368-358C-429B-8F04-3C8DF4A71A91", "versionEndExcluding": "10.11.11", "versionStartIncluding": "10.11.0"}, {"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7F64C167-943D-4F3F-9374-BCC8DECB3881", "versionEndExcluding": "11.2.3", "versionStartIncluding": "11.2.0"}, {"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "805ECFFC-82FD-4754-AF95-32167E1D41CB", "versionEndExcluding": "11.3.2", "versionStartIncluding": "11.3.0"}, {"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "839BC7B7-28DF-4125-937A-8B0D2D6893C2", "versionEndExcluding": "11.4.1", "versionStartIncluding": "11.4.0"}], "operator": "OR"}]}], "sourceIdentifier": "responsibledisclosure@mattermost.com"}