CVE-2026-4274
Improper Access Control in Mattermost Team Membership Sync
Publication date: 2026-03-26
Last updated on: 2026-03-26
Assigner: Mattermost, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mattermost | mattermost_server | From 10.11.0 (inc) to 10.11.11 (exc) |
| mattermost | mattermost_server | From 11.2.0 (inc) to 11.2.3 (exc) |
| mattermost | mattermost_server | From 11.3.0 (inc) to 11.3.2 (exc) |
| mattermost | mattermost_server | From 11.4.0 (inc) to 11.4.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects certain versions of Mattermost where the system fails to properly restrict team-level access during membership synchronization from a remote cluster.
Specifically, a malicious remote cluster can exploit this flaw by sending crafted membership sync messages that incorrectly assign a user access to an entire private team instead of limiting access to only the shared channel.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access where a user gains access to an entire private team without proper permission.
Such unauthorized access could expose sensitive information shared within private teams, potentially leading to data leakage or privacy breaches.