CVE-2026-7387 Overview
CVE-2026-7387 is an authorization vulnerability in Mattermost Server affecting versions 11.6.x through 11.6.1, 11.5.x through 11.5.4, and 10.11.x through 10.11.16. The flaw resides in the group syncable link and patch API endpoints, which fail to enforce role-management authorization when processing the scheme_admin flag. A user holding group-link permissions can craft API requests that elevate themselves and other group members to team or channel administrator. Mattermost tracks this issue as advisory MMSA-2026-00665 and classifies the weakness under CWE-863: Incorrect Authorization.
Critical Impact
Authenticated users with group-link permissions can escalate themselves and group members to team or channel admin, gaining administrative control over Mattermost collaboration spaces.
Affected Products
- Mattermost Server 11.6.x through 11.6.1
- Mattermost Server 11.5.x through 11.5.4
- Mattermost Server 10.11.x through 10.11.16
Discovery Timeline
- 2026-06-12 - CVE-2026-7387 published to NVD
- 2026-06-18 - Last updated in NVD database
Technical Details for CVE-2026-7387
Vulnerability Analysis
The vulnerability stems from missing authorization checks on Mattermost's group syncable APIs. Group syncables link an LDAP or SAML-backed group to a team or channel and control membership synchronization. The link and patch endpoints accept a scheme_admin boolean that designates whether group members inherit team admin or channel admin roles. The server processes this field without verifying that the requesting user holds the manage_team_roles or manage_channel_roles capability. Any account permitted to manage group links can therefore promote arbitrary group members to administrator. The defect is a horizontal-to-vertical privilege escalation that converts a delegated administrative function into a full role-management primitive.
Root Cause
The root cause is an incorrect authorization decision [CWE-863] in the handlers that service group syncable creation and modification. The handlers validate that the caller may link a group but do not perform a separate permission check for changes to scheme_admin. The role-management permission is required elsewhere in the application but is omitted in this code path, breaking the principle of complete mediation.
Attack Vector
An authenticated user with group-link permissions issues a crafted HTTP request to the affected group syncable endpoints. The request body sets scheme_admin to true for an existing or new group-team or group-channel link. Once accepted, every member of the linked group receives the corresponding admin role on the target team or channel. The attacker can include their own account in the group to self-escalate, or escalate confederates without further interaction. No user interaction is required from the victim administrator.
Detection Methods for CVE-2026-7387
Indicators of Compromise
- API calls to group syncable endpoints (/api/v4/groups/{group_id}/teams/{team_id}/link, /api/v4/groups/{group_id}/channels/{channel_id}/link, and corresponding PATCH operations) with scheme_admin set to true.
- Unexpected appearance of team admin or channel admin roles on accounts that have not been promoted through normal administrative workflows.
- Audit log entries showing role assignments correlated in time with group syncable link or patch events.
Detection Strategies
- Review Mattermost audit logs for groupSyncable create and update events and cross-reference the actor's role against the scheme_admin value submitted.
- Alert on any group-team or group-channel link where scheme_admin transitions from false to true outside of change-management windows.
- Hunt for users who gained team_admin or channel_admin membership without a direct role assignment event recorded by a system administrator.
Monitoring Recommendations
- Forward Mattermost audit logs and reverse-proxy access logs to a centralized log platform for retention and correlation.
- Establish a baseline for group syncable API usage and alert on volume or pattern deviations.
- Track administrator role membership counts per team and channel, and trigger review when counts increase unexpectedly.
How to Mitigate CVE-2026-7387
Immediate Actions Required
- Upgrade Mattermost Server to a fixed release on the 11.6, 11.5, or 10.11 maintenance branches as published in the Mattermost Security Updates advisory.
- Audit current team and channel administrators and revoke unauthorized role assignments introduced through group syncables.
- Restrict accounts that hold group-link permissions to a minimum set of trusted administrators until patching is complete.
Patch Information
Mattermost has issued fixed builds for the affected branches. Administrators should consult the Mattermost Security Updates page and apply the version that supersedes 11.6.1, 11.5.4, and 10.11.16 on their respective release lines. The patch enforces the role-management permission on the group syncable link and patch handlers before honoring the scheme_admin field.
Workarounds
- Remove the manage_team_roles or manage_channel_roles-adjacent group-link permission from non-administrative roles until the upgrade is applied.
- Disable LDAP or SAML group sync features in environments where the capability is not required.
- Monitor and manually review every group syncable link and patch API call until the fixed version is deployed.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
