CVE-2026-10085 PUBLISHED

Ordinary group/direct message member can enable group_constrained and remove all channel participants

Assigner: Mattermost
Reserved: 29.05.2026 Published: 13.07.2026 Updated: 13.07.2026

Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to restrict the group_constrained channel flag to public and private channels that support group synchronization, which allows an ordinary group or direct message member to remove all participants from the conversation via the channel patch API.. Mattermost Advisory ID: MMSA-2026-00688

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
CVSS Score: 5.4

Product Status

Vendor Mattermost
Product Mattermost
Versions Default: unaffected
  • affected from 11.7.0 to 11.7.2 (incl.)
  • affected from 11.6.0 to 11.6.4 (incl.)
  • affected from 10.11.0 to 10.11.19 (incl.)
  • Version 11.8.0 is unaffected
  • Version 11.7.3 is unaffected
  • Version 11.6.5 is unaffected
  • Version 10.11.20 is unaffected

Solutions

Update Mattermost to versions 11.8.0, 11.7.3, 11.6.5, 10.11.20 or higher.

Credits

  • se1en finder

References

Problem Types

  • CWE-862: Missing Authorization CWE