Skip to main content
CVE Vulnerability Database

CVE-2026-8074: Mattermost Server Auth Bypass Vulnerability

CVE-2026-8074 is an authentication bypass flaw in Mattermost Server that allows User Managers to deactivate bot accounts without proper permissions. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-8074 Overview

CVE-2026-8074 is an authorization flaw in Mattermost Server that allows a User Manager to deactivate bot accounts without holding Integrations permissions. The vulnerability affects the PUT /api/v4/users/{id}/active API endpoint, which fails to enforce bot-specific permission checks. Mattermost tracks this issue as advisory MMSA-2026-00667 and classifies it under CWE-863: Incorrect Authorization. An attacker with elevated User Manager privileges can disable bot integrations, disrupting automated workflows, notifications, and connected services that rely on those bot accounts.

Critical Impact

A privileged User Manager without Integrations access can deactivate bot accounts, breaking automation and integrations that depend on bot identities.

Affected Products

  • Mattermost Server versions 11.7.x up to and including 11.7.0
  • Mattermost Server versions 10.11.x up to and including 10.11.17
  • Mattermost mattermost_server component

Discovery Timeline

  • 2026-06-22 - CVE-2026-8074 published to NVD
  • 2026-06-23 - Last updated in NVD database

Technical Details for CVE-2026-8074

Vulnerability Analysis

The vulnerability resides in Mattermost's user active status endpoint. The handler validates that the caller holds user management write access but does not separately verify Integrations permissions when the target user is a bot account. Bot accounts in Mattermost are a distinct user class governed by Integrations permissions, not standard user management permissions.

This missing check creates a permissions boundary violation. A User Manager role intended to manage human users gains the ability to disable bot identities. Once a bot is deactivated, any integration, webhook flow, or automation tied to that bot identity stops functioning until an administrator reactivates the account.

Root Cause

The root cause is incorrect authorization logic [CWE-863] in the active status endpoint. The code path treats all user identifiers uniformly and does not branch on the bot attribute to enforce Integrations-scoped permission checks. Bot deactivation should require Integrations write access in addition to user management privileges.

Attack Vector

Exploitation requires network access to the Mattermost API and an authenticated session with the User Manager role. The attacker issues a PUT request to /api/v4/users/{id}/active with a bot user identifier and a payload setting active to false. The server processes the request and deactivates the bot account without checking Integrations permissions. No user interaction is required, and the action persists until reversed by an administrator with the correct role.

No public proof-of-concept code or exploit is available for this issue. See the Mattermost Security Updates advisory for additional technical details.

Detection Methods for CVE-2026-8074

Indicators of Compromise

  • Audit log entries showing PUT /api/v4/users/{id}/active requests against bot user IDs originating from User Manager accounts without Integrations permissions.
  • Unexpected bot deactivation events recorded in Mattermost system logs.
  • Integration failures, missing webhook deliveries, or silent automation pipelines coinciding with bot account state changes.

Detection Strategies

  • Correlate API audit logs with role assignments to identify callers modifying bot status outside their permission scope.
  • Alert on any state transition where a non-Integrations role changes the active field of a user flagged as is_bot=true.
  • Baseline normal bot lifecycle events and flag deviations such as off-hours deactivations or bulk status changes.

Monitoring Recommendations

  • Forward Mattermost audit logs to a centralized SIEM and retain them for forensic review.
  • Monitor administrative role assignments, particularly grants of the User Manager role, for unexpected changes.
  • Track integration health metrics so deactivated bots surface quickly through downstream failures.

How to Mitigate CVE-2026-8074

Immediate Actions Required

  • Upgrade Mattermost Server to a fixed release as published in the Mattermost Security Updates advisory MMSA-2026-00667.
  • Review current User Manager role assignments and revoke the role from accounts that do not require it.
  • Audit recent bot deactivation events and reactivate any bots disabled without authorization.

Patch Information

Mattermost has released fixed versions addressed in advisory MMSA-2026-00667. Refer to the Mattermost Security Updates page for the specific patched release matching your deployment branch. Versions at or below 11.7.0 in the 11.7.x line and at or below 10.11.17 in the 10.11.x line require upgrade.

Workarounds

  • Restrict assignment of the User Manager role until the patched version is deployed.
  • Apply reverse proxy or API gateway rules that block PUT /api/v4/users/{id}/active requests targeting bot account IDs from non-administrator sessions.
  • Increase audit logging verbosity for user management API calls to detect attempted exploitation.
bash
# Example: reverse proxy rule to log and inspect bot active-state changes
# Replace with your gateway syntax; this is illustrative only
location ~ ^/api/v4/users/([a-z0-9]+)/active$ {
    access_log /var/log/nginx/mm_bot_active_audit.log;
    proxy_pass http://mattermost_backend;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.