CVE-2026-8823
LowCVSS 3.8Exploitation Probability (EPSS)
Low risk14th percentile — higher than 14% of all known CVEs
Summary
A vulnerability in Mattermost versions 11.7.x <= 11.7.0 and 10.11.x <= 10.11.17 is due to missing validation of bot targets when demoting users to guests. This allows a lower-privileged administrator to degrade arbitrary bot accounts via the standard demote-user API.
Risk Assessment
The risk involves the possibility of unauthorized degradation of bot accounts by a lower-privileged administrator, which may disrupt automated processes and system functions.
Recommendation
It is recommended to immediately upgrade Mattermost to version 11.7.1 or later (for the 11.7.x branch) and to version 10.11.18 or later (for the 10.11.x branch).
Original NVD description (English source)
Mattermost versions 11.7.x <= 11.7.0, 10.11.x <= 10.11.17 fail to validate bot targets when demoting users to guests which allows a lower-privileged administrator to degrade arbitrary bot accounts via the standard demote-user API.. Mattermost Advisory ID: MMSA-2026-00669

