Primary

Context

Mattermost Authentication Method Validation Vulnerability Allowing Password Change Without Confirmation

Vulnerability

Patched

A vulnerability exists in Mattermost versions 10.11.x prior to 10.11.10, where the application fails to properly validate the user's authentication method during account type switches. This flaw enables an authenticated attacker to change a user's password without confirmation by falsely claiming to use a different authentication provider.

Impact

Exploitation of this vulnerability allows for unauthorized password changes, potentially leading to account takeover.

Remediation

Users can upgrade to Mattermost version 10.11.10 or later to address this vulnerability.

Added: Mar 16, 2026, 3:39 PM

Updated: Mar 16, 2026, 3:39 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

5.0

exploitability

5.2

remediation

7.7

relevance

4.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

5.0

exploitability

5.2

remediation

7.7

relevance

4.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mattermost Authentication Method Validation Vulnerability Allowing Password Change Without Confirmation

Vulnerability

Impact

Remediation

Affected Products

Mattermost

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating