CVE-2026-4274

CWE-863Incorrect Authorization5 documents5 sources
Severity
5.4MEDIUM
EPSS
0.0%
top 91.53%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Github.com Mattermost/mattermost/server/v8Mattermost Mattermost ServerMattermost Mattermost
Timeline
PublishedMar 26

Description

Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to restrict team-level access when processing membership sync from a remote cluster, which allows a malicious remote cluster to grant a user access to an entire private team instead of only the shared channel via sending crafted membership sync messages that trigger team membership assignment. Mattermost Advisory ID: MMSA-2026-00574

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages3 packages

NVDmattermost/mattermost_server10.11.010.11.11+3
Gogithub.com/mattermost/mattermost/server/v811.4.0-rc111.4.1+4
CVEListV5mattermost/mattermost11.2.011.2.2+3

🔴Vulnerability Details

3
GHSA
Mattermost has an Incorrect Authorization issue2026-03-26
OSV
Mattermost has an Incorrect Authorization issue2026-03-26
CVEList
Insufficient authorization in shared channel membership sync grants team-level access instead of channel-level access2026-03-26

🕵️Threat Intelligence

1
Wiz
CVE-2026-4274 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-4274 (MEDIUM CVSS 5.4) | Mattermost versions 11.2.x <= 11.2. | cvebase.io