Platform
go
Component
github.com/mattermost/mattermost/server/v8
Fixed in
11.2.3
10.11.11
11.4.1
11.3.2
11.4.1
CVE-2026-27659 is a Cross-Site Request Forgery (CSRF) vulnerability discovered in Mattermost's /api/v4/accesscontrolpolicies/{policy_id}/activate endpoint. This flaw allows an attacker to potentially manipulate access control policies by tricking an authenticated administrator into unknowingly executing a malicious request. The vulnerability impacts Mattermost versions 11.2.x up to 11.2.2, 10.11.x up to 10.11.10, 11.4.x up to 11.4.0, and 11.3.x up to 11.3.1. A fix is available in version 11.4.1.
Successful exploitation of CVE-2026-27659 could allow an attacker to gain unauthorized control over Mattermost's access control policies. This could lead to scenarios where sensitive data is exposed, unauthorized users are granted access, or critical system functions are compromised. For example, an attacker could disable access controls for specific channels or teams, effectively granting themselves or others unrestricted access. The blast radius extends to any data or functionality protected by the manipulated access control policies. The ability to modify access control policies represents a significant escalation of privilege within the Mattermost environment.
This vulnerability was publicly disclosed on March 25, 2026, with the publication of Mattermost Advisory MMSA-2026-00578. The CSRF nature of the vulnerability suggests a relatively low probability of exploitation (EPSS score likely low), but the potential impact warrants attention. No public proof-of-concept (PoC) code has been publicly released as of this writing, but the ease of crafting CSRF requests means a PoC could emerge quickly. Monitor Mattermost forums and security mailing lists for updates.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-27659 is to upgrade Mattermost to version 11.4.1 or later. If immediate upgrading is not possible, consider implementing temporary workarounds. While a direct WAF rule is difficult to implement due to the nature of CSRF, enforcing strict authentication and authorization policies can reduce the attack surface. Review and audit existing access control policies to identify any anomalies or suspicious configurations. Educate administrators about the risks of CSRF and the importance of verifying requests before executing them. After upgrading, confirm the fix by attempting to trigger the vulnerable endpoint with a crafted CSRF request and verifying that it is rejected.
Update Mattermost to the latest available version. The CSRF vulnerability in the UpdateAccessControlPolicyActiveStatus endpoint allows an attacker to trick an administrator into changing the access control policy active status via a crafted request. Updating to the latest version corrects CSRF token validation.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-27659 is a CSRF vulnerability in Mattermost's access control policy activation endpoint, allowing attackers to manipulate policies through crafted requests. It affects versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, and 11.3.x <= 11.3.1.
You are affected if you are running Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, or 11.3.x <= 11.3.1. Upgrade to 11.4.1 or later to mitigate the risk.
Upgrade Mattermost to version 11.4.1 or later. If immediate upgrade isn't possible, implement stricter authentication and authorization policies and educate administrators.
While no public exploits are currently known, the CSRF nature of the vulnerability means exploitation is possible. Monitor Mattermost forums and security mailing lists for updates.
You can find the official advisory on the Mattermost website: https://mattermost.com/security/advisories/MMSA-2026-00578
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.