CVE-2026-27659
CSRF Vulnerability in Mattermost Access Control Policy Activation
Publication date: 2026-03-25
Last updated on: 2026-03-26
Assigner: Mattermost, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mattermost | mattermost_server | From 10.11.0 (inc) to 10.11.11 (exc) |
| mattermost | mattermost_server | From 11.2.0 (inc) to 11.2.3 (exc) |
| mattermost | mattermost_server | From 11.3.0 (inc) to 11.3.2 (exc) |
| mattermost | mattermost_server | From 11.4.0 (inc) to 11.4.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in certain versions of Mattermost where the system fails to properly validate CSRF tokens in the /api/v4/access_control_policies/{policy_id}/activate endpoint.
Because of this improper validation, an attacker can trick an administrator into changing the active status of an access control policy by sending a specially crafted request.
How can this vulnerability impact me? :
The vulnerability allows an attacker to manipulate access control policies by changing their active status without proper authorization.
This could lead to unauthorized changes in security settings, potentially weakening the system's access controls and exposing sensitive data or functionality.