CVE-2026-8074
LowCVSS 3.8Exploitation Probability (EPSS)
Low risk9th percentile — higher than 9% of all known CVEs
Summary
Mattermost versions 11.7.x up to 11.7.0 and 10.11.x up to 10.11.17 fail to enforce bot-specific permission checks on the user active status endpoint. This allows a User Manager with user management write access but no Integrations access to deactivate bot accounts via the PUT /api/v4/users/{id}/active API endpoint.
Risk Assessment
The organization may be exposed to unauthorized deactivation of bot accounts, which could affect application functionality and trust in the user management system.
Recommendation
It is recommended to upgrade to the latest version of Mattermost to ensure proper enforcement of bot permission checks and minimize the risk of unauthorized actions.
Original NVD description (English source)
Mattermost versions 11.7.x <= 11.7.0, 10.11.x <= 10.11.17 fail to enforce bot-specific permission checks on the user active status endpoint, which allows a User Manager with user management write access but no Integrations access to deactivate bot accounts via the PUT /api/v4/users/{id}/active API endpoint.. Mattermost Advisory ID: MMSA-2026-00667

