CVE-2026-22545 — Incorrect Authorization in Mattermost Mattermost-server

CWE-863 — Incorrect Authorization6 documents5 sources

Severity

3.5LOWNVD

CNA3.1

EPSS

0.0%

top 88.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost Mattermost-server Github.com Mattermost Mattermost Server V8 Mattermost Server +1 more

Timeline

PublishedMar 16

Latest updateMar 23

Description

Mattermost versions 10.11.x <= 10.11.10 fail to validate user's authentication method when processing account auth type switch which allows an authenticated attacker to change account password without confirmation via falsely claiming a different auth provider.. Mattermost Advisory ID: MMSA-2026-00583

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:NExploitability: 2.1 | Impact: 1.4

Affected Packages4 packages

▶NVDmattermost/mattermost_server10.11.0 — 10.11.11

▶Gogithub.com/mattermost_mattermost-server10.11.0-rc1+incompatible — 10.11.11+incompatible+6

▶Gogithub.com/mattermost_mattermost_server_v8< 8.0.0-20260127144908-ced9a56e3988

▶CVEListV5mattermost/mattermost10.11.0 — 10.11.10

🔴Vulnerability Details

OSV

Mattermost fails to validate user's authentication method when processing account auth type switch in github.com/mattermost/mattermost-server↗2026-03-23

▶

CVEList

Password Change Bypass via Auth Switch Endpoint↗2026-03-16

▶

OSV

Mattermost fails to validate user's authentication method when processing account auth type switch↗2026-03-16

▶

GHSA

Mattermost fails to validate user's authentication method when processing account auth type switch↗2026-03-16

▶

🕵️Threat Intelligence

Wiz

CVE-2026-22545 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶