Primary

Context

Mattermost Improper Permission Validation in Team Member Roles API Endpoint Allowing Unauthorized Demotion to Guest Role

Vulnerability

Patched

A vulnerability exists in Mattermost versions 10.11.x prior to 10.11.10, where the team member roles API endpoint does not properly validate permission requirements. This flaw enables team administrators to demote members to the guest role without proper authorization.

Impact

Exploitation of this vulnerability allows for unauthorized changes to team member roles, specifically demoting members to guest status, which may result in loss of access to certain features or channels.

Remediation

Users can upgrade to Mattermost version 10.11.11 or later to address this vulnerability.

Added: Mar 16, 2026, 9:19 PM

Updated: Mar 16, 2026, 9:19 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

4.8

remediation

7.7

relevance

4.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

4.8

remediation

7.7

relevance

4.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mattermost Improper Permission Validation in Team Member Roles API Endpoint Allowing Unauthorized Demotion to Guest Role

Vulnerability

Impact

Remediation

Affected Products

Mattermost

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating