Primary

Context

Mattermost Team-Level Access Vulnerability in Membership Sync from Remote Clusters

Vulnerability

Patched

A vulnerability exists in Mattermost versions 11.2.x through 11.2.2, 10.11.x through 10.11.10, 11.4.x through 11.4.0, and 11.3.x through 11.3.1. The issue arises because the application fails to properly restrict team-level access when synchronizing membership from remote clusters. This flaw allows a malicious remote cluster to grant a user access to an entire private team, rather than just the shared channel, by sending crafted membership sync messages that trigger unauthorized team membership assignments.

Impact

Exploitation of this vulnerability could lead to unauthorized access to private teams, allowing users to access channels and information they should not be privy to.

Remediation

Users can upgrade to Mattermost versions 11.5.0, 11.4.2, or 11.3.2 to address this vulnerability.

Added: Mar 26, 2026, 11:20 AM

Updated: Mar 26, 2026, 11:20 AM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

3.1

exploitability

4.8

remediation

7.7

relevance

4.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

3.1

exploitability

4.8

remediation

7.7

relevance

4.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mattermost Team-Level Access Vulnerability in Membership Sync from Remote Clusters

Vulnerability

Impact

Remediation

Affected Products

Mattermost

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating