CVE-2026-8074 Improper Permission Check Allows User Manager to Deactivate Bot Accounts

🗓️ 22 Jun 2026 13:37:44Reported by MattermostType

Improper permission check lets user managers deactivate bot accounts via the user active status endpoint.

Reporter	Title	Published	Views	Family All 5
ATTACKERKB	CVE-2026-8074	22 Jun 202613:37	–	attackerkb
CVE	CVE-2026-8074	22 Jun 202613:37	–	cve
EUVD	EUVD-2026-38248	22 Jun 202615:30	–	euvd
NVD	CVE-2026-8074	22 Jun 202614:17	–	nvd
Positive Technologies	PT-2026-51320	22 Jun 202600:00	–	ptsecurity

[
  {
    "defaultStatus": "unaffected",
    "product": "Mattermost",
    "vendor": "Mattermost",
    "versions": [
      {
        "lessThanOrEqual": "11.7.0",
        "status": "affected",
        "version": "11.7.0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "10.11.17",
        "status": "affected",
        "version": "10.11.0",
        "versionType": "semver"
      },
      {
        "version": "11.8.0",
        "status": "unaffected"
      },
      {
        "version": "11.7.1",
        "status": "unaffected"
      },
      {
        "version": "10.11.18",
        "status": "unaffected"
      }
    ]
  }
]

Source	Link
mattermost	www.mattermost.com/security-updates

22 Jun 2026 13:37Current

CVSS 3.13.8

CWE-863