Improper Authorization in Mattermost Affects Role Management
CVE-2026-7387
8.8HIGH
What is CVE-2026-7387?
An improper authorization vulnerability exists in Mattermost that allows users with group-link permissions to escalate their privileges by executing malicious API requests. This flaw affects specific versions of Mattermost, enabling unauthorized access to team or channel admin roles when the 'scheme_admin' flag is manipulated during group syncable link requests. Immediate action is advised to secure affected installations against potential exploitation.
Affected Version(s)
Mattermost 11.6.0 <= 11.6.1
Mattermost 11.5.0 <= 11.5.4
Mattermost 10.11.0 <= 10.11.15