GHSA-RMHW-C3XR-M3XX Mattermost doesn't properly validate CSRF tokens

Mattermost versions 11.2.x = 11.2.2, 10.11.x = 10.11.10, 11.4.x = 11.4.0, 11.3.x = 11.3.1 fail to properly validate CSRF tokens in the /api/v4/accesscontrolpolicies/policyid/activate endpoint, which allows an attacker to trick an admin into changing access control policy active status via a craft...

CVE-2026-27659

Mattermost CSRF in UpdateAccessControlPolicyActiveStatus: versions 11.2.x ≤ 11.2.2, 10.11.x ≤ 10.11.10, 11.4.x ≤ 11.4.0, 11.3.x ≤ 11.3.1 fail to validate CSRF tokens on /api/v4/access_control_policies/{policy_id}/activate, enabling an attacker to trick an admin into changing an access control pol...

CVE-2026-27659

Mattermost versions 11.2.x = 11.2.2, 10.11.x = 10.11.10, 11.4.x = 11.4.0, 11.3.x = 11.3.1 fail to properly validate CSRF tokens in the /api/v4/accesscontrolpolicies/policyid/activate endpoint, which allows an attacker to trick an admin into changing access control policy active status via a craft...

PT-2026-27990

Name of the Vulnerable Software and Affected Versions Mattermost versions 11.2.x through 11.2.2 Mattermost versions 10.11.x through 10.11.10 Mattermost versions 11.4.x through 11.4.0 Mattermost versions 11.3.x through 11.3.1 Description The software does not properly validate Cross-Site Request...