Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to properly validate CSRF tokens in the /api/v4/access_control_policies/{policy_id}/activate endpoint, which allows an attacker to trick an admin into changing access control policy active status via a crafted request.. Mattermost Advisory ID: MMSA-2026-00578
References
| Link | Resource |
|---|---|
| https://mattermost.com/security-updates | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
26 Mar 2026, 18:49
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Mattermost
Mattermost mattermost Server |
|
| Summary |
|
|
| CPE | cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:* | |
| References | () https://mattermost.com/security-updates - Vendor Advisory |
25 Mar 2026, 17:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-03-25 17:16
Updated : 2026-03-26 18:49
NVD link : CVE-2026-27659
Mitre link : CVE-2026-27659
CVE.ORG link : CVE-2026-27659
JSON object : View
Products Affected
mattermost
- mattermost_server
CWE
CWE-352
Cross-Site Request Forgery (CSRF)