CVE-2026-8074 in Mattermost
Summary
by MITRE • 06/22/2026
Mattermost versions 11.7.x <= 11.7.0, 10.11.x <= 10.11.17 fail to enforce bot-specific permission checks on the user active status endpoint, which allows a User Manager with user management write access but no Integrations access to deactivate bot accounts via the PUT /api/v4/users/{id}/active API endpoint.. Mattermost Advisory ID: MMSA-2026-00667
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/22/2026
This vulnerability exists in Mattermost versions 11.7.0 and earlier, as well as 10.11.17 and earlier, where the system fails to properly enforce bot-specific permission checks on the user active status endpoint. The flaw specifically affects the PUT /api/v4/users/{id}/active API endpoint which is used to deactivate user accounts including bot accounts. A User Manager with write access to user management but without explicit Integrations access can exploit this weakness to deactivate bot accounts through the user management interface.
The technical implementation of this vulnerability stems from inadequate permission validation logic within the Mattermost application's authentication and authorization framework. When a User Manager attempts to modify a user's active status, the system should verify that the requesting user has appropriate permissions not only for user management operations but also for integration-related activities when dealing with bot accounts specifically. The absence of this additional check creates an access control bypass where users with limited privileges can perform actions typically restricted to administrators or users with broader integration permissions.
The operational impact of this vulnerability is significant as it allows malicious actors or compromised User Manager accounts to disrupt system operations by deactivating critical bot accounts without proper authorization. Bots in Mattermost often serve essential functions such as automated notifications, integrations with external systems, monitoring services, and workflow automation. Deactivating these accounts can result in service interruptions, reduced productivity, and potential security gaps where automated monitoring or response mechanisms are disabled.
This vulnerability aligns with CWE-284 Access Control Bypass and represents a privilege escalation issue that violates the principle of least privilege. It also maps to ATT&CK technique T1078 Valid Accounts where attackers can leverage existing user accounts with limited permissions to perform unauthorized actions. The flaw demonstrates poor separation of concerns in the permission model, where user management privileges incorrectly grant access to integration-specific operations without proper authorization boundaries.
Organizations should immediately implement the available patches and updates from Mattermost to address this vulnerability. System administrators should also review and tighten user permission assignments to ensure that User Managers do not receive unnecessary write access to bot accounts. Additional monitoring of user activity, particularly around account deactivation events, can help detect potential exploitation attempts. The recommended mitigation includes enforcing stricter permission validation for all API endpoints that interact with bot accounts, ensuring that proper integration-specific authorization checks are implemented before allowing modifications to bot status or configuration parameters.