CVE-2026-8074 Overview
CVE-2026-8074 is an authorization flaw in Mattermost Server that allows a User Manager to deactivate bot accounts without holding Integrations permissions. The vulnerability affects the PUT /api/v4/users/{id}/active API endpoint, which fails to enforce bot-specific permission checks. Mattermost tracks this issue as advisory MMSA-2026-00667 and classifies it under CWE-863: Incorrect Authorization. An attacker with elevated User Manager privileges can disable bot integrations, disrupting automated workflows, notifications, and connected services that rely on those bot accounts.
Critical Impact
A privileged User Manager without Integrations access can deactivate bot accounts, breaking automation and integrations that depend on bot identities.
Affected Products
- Mattermost Server versions 11.7.x up to and including 11.7.0
- Mattermost Server versions 10.11.x up to and including 10.11.17
- Mattermost mattermost_server component
Discovery Timeline
- 2026-06-22 - CVE-2026-8074 published to NVD
- 2026-06-23 - Last updated in NVD database
Technical Details for CVE-2026-8074
Vulnerability Analysis
The vulnerability resides in Mattermost's user active status endpoint. The handler validates that the caller holds user management write access but does not separately verify Integrations permissions when the target user is a bot account. Bot accounts in Mattermost are a distinct user class governed by Integrations permissions, not standard user management permissions.
This missing check creates a permissions boundary violation. A User Manager role intended to manage human users gains the ability to disable bot identities. Once a bot is deactivated, any integration, webhook flow, or automation tied to that bot identity stops functioning until an administrator reactivates the account.
Root Cause
The root cause is incorrect authorization logic [CWE-863] in the active status endpoint. The code path treats all user identifiers uniformly and does not branch on the bot attribute to enforce Integrations-scoped permission checks. Bot deactivation should require Integrations write access in addition to user management privileges.
Attack Vector
Exploitation requires network access to the Mattermost API and an authenticated session with the User Manager role. The attacker issues a PUT request to /api/v4/users/{id}/active with a bot user identifier and a payload setting active to false. The server processes the request and deactivates the bot account without checking Integrations permissions. No user interaction is required, and the action persists until reversed by an administrator with the correct role.
No public proof-of-concept code or exploit is available for this issue. See the Mattermost Security Updates advisory for additional technical details.
Detection Methods for CVE-2026-8074
Indicators of Compromise
- Audit log entries showing PUT /api/v4/users/{id}/active requests against bot user IDs originating from User Manager accounts without Integrations permissions.
- Unexpected bot deactivation events recorded in Mattermost system logs.
- Integration failures, missing webhook deliveries, or silent automation pipelines coinciding with bot account state changes.
Detection Strategies
- Correlate API audit logs with role assignments to identify callers modifying bot status outside their permission scope.
- Alert on any state transition where a non-Integrations role changes the active field of a user flagged as is_bot=true.
- Baseline normal bot lifecycle events and flag deviations such as off-hours deactivations or bulk status changes.
Monitoring Recommendations
- Forward Mattermost audit logs to a centralized SIEM and retain them for forensic review.
- Monitor administrative role assignments, particularly grants of the User Manager role, for unexpected changes.
- Track integration health metrics so deactivated bots surface quickly through downstream failures.
How to Mitigate CVE-2026-8074
Immediate Actions Required
- Upgrade Mattermost Server to a fixed release as published in the Mattermost Security Updates advisory MMSA-2026-00667.
- Review current User Manager role assignments and revoke the role from accounts that do not require it.
- Audit recent bot deactivation events and reactivate any bots disabled without authorization.
Patch Information
Mattermost has released fixed versions addressed in advisory MMSA-2026-00667. Refer to the Mattermost Security Updates page for the specific patched release matching your deployment branch. Versions at or below 11.7.0 in the 11.7.x line and at or below 10.11.17 in the 10.11.x line require upgrade.
Workarounds
- Restrict assignment of the User Manager role until the patched version is deployed.
- Apply reverse proxy or API gateway rules that block PUT /api/v4/users/{id}/active requests targeting bot account IDs from non-administrator sessions.
- Increase audit logging verbosity for user management API calls to detect attempted exploitation.
# Example: reverse proxy rule to log and inspect bot active-state changes
# Replace with your gateway syntax; this is illustrative only
location ~ ^/api/v4/users/([a-z0-9]+)/active$ {
access_log /var/log/nginx/mm_bot_active_audit.log;
proxy_pass http://mattermost_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

