PatchSiren cyber security CVE debrief
CVE-2026-7387 Mattermost CVE debrief
CVE-2026-7387 is a high-severity vulnerability in Mattermost that allows for authorization bypass. The vulnerability affects Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, and 10.11.x <= 10.11.16. An attacker with group-link permissions can escalate themselves and group members to team or channel admin via crafted API requests. The vulnerability has a CVSS score of 8.8 and is classified as HIGH.
- Vendor
- Mattermost
- Product
- Unknown
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, and 10.11.x <= 10.11.16 should be aware of this vulnerability and take steps to mitigate it.
Technical summary
Mattermost fails to require role-management authorization when setting the scheme_admin flag on group syncable link and patch endpoints. This allows a user with group-link permissions to escalate themselves and group members to team or channel admin via crafted API requests.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to a version of Mattermost that is not affected by this vulnerability.
- Restrict group-link permissions to only those who need them.
- Monitor for suspicious activity on your Mattermost instance.
Evidence notes
The vulnerability was reported to Mattermost via responsible disclosure and has been publicly disclosed.
Official resources
-
CVE-2026-7387 CVE record
CVE.org
-
CVE-2026-7387 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-7387 was published on 2026-06-12T17:16:27.653Z and has not been modified since then.