CVE-2026-8823

Mattermost versions 11.7.x = 11.7.0, 10.11.x = 10.11.17 fail to validate bot targets when demoting users to guests which allows a lower-privileged administrator to degrade arbitrary bot accounts via the standard demote-user API.. Mattermost Advisory ID: MMSA-2026-00669...

CVE-2026-8823

Mattermost versions affected are 11.7.x <= 11.7.0 and 10.11.x

EUVD-2026-38276

Mattermost versions 11.7.x = 11.7.0, 10.11.x = 10.11.17 fail to validate bot targets when demoting users to guests which allows a lower-privileged administrator to degrade arbitrary bot accounts via the standard demote-user API.. Mattermost Advisory ID: MMSA-2026-00669...

CVE-2026-8823 User Manager can demote bot accounts to guest without bot-management permission

Mattermost versions 11.7.x = 11.7.0, 10.11.x = 10.11.17 fail to validate bot targets when demoting users to guests which allows a lower-privileged administrator to degrade arbitrary bot accounts via the standard demote-user API.. Mattermost Advisory ID: MMSA-2026-00669...

PT-2026-32417

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user with custom role permissions to demote or remove higher-privileged group members due to improper authorization...

CVE-2026-4916

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user with custom role permissions to demote or remove higher-privileged group members due to improper authorization...

UBUNTU-CVE-2026-4916

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user with custom role permissions to demote or remove higher-privileged group members due to improper authorization...

PT-2026-31547

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 18.2 through 18.8.8, 18.9 through 18.9.4, and 18.10 through 18.10.2 Description A flaw existed in GitLab CE/EE where an authenticated user with custom role permissions could potentially demote or remove higher-privileged...

Incorrect Authorization

Overview github.com/mattermost/mattermost/server/channels/app is a private-cloud Slack alternative Affected versions of this package are vulnerable to Incorrect Authorization due to insufficient validation of permission requirements in the team member roles API endpoint. An attacker can gain...

CVE-2026-26230

A permissions validation flaw has been discovered in mattermost server. Affected versions fail to properly validate permission requirements in the team member roles API endpoint which allows team administrators to demote members to guest role. Mitigation Mitigation for this issue is either not...

CVE-2026-26230 Team Admin Privilege Escalation to Demote Members to Guest

Mattermost versions 10.11.x = 10.11.10 fail to properly validate permission requirements in the team member roles API endpoint which allows team administrators to demote members to guest role. Mattermost Advisory ID: MMSA-2025-00531...

CVE-2026-26230 Team Admin Privilege Escalation to Demote Members to Guest

Mattermost versions 10.11.x = 10.11.10 fail to properly validate permission requirements in the team member roles API endpoint which allows team administrators to demote members to guest role. Mattermost Advisory ID: MMSA-2025-00531...

CVE-2026-26230

Mattermost: Affected software is Mattermost 10.11.x up to 10.11.10. The issue arises from improper validation of permission requirements in the team member roles API endpoint, enabling a team administrator to demote members to the guest role. Root cause is insufficient permission checks in that e...

CVE-2026-26230

Mattermost versions 10.11.x = 10.11.10 fail to properly validate permission requirements in the team member roles API endpoint which allows team administrators to demote members to guest role. Mattermost Advisory ID: MMSA-2025-00531...

CVE-2025-12641 Awesome Support – WordPress HelpDesk & Support Plugin <= 6.3.6 - Missing Authorization to Unauthenticated Role Demotion

The Awesome Support - WordPress HelpDesk & Support Plugin for WordPress is vulnerable to authorization bypass due to missing capability checks in all versions up to, and including, 6.3.6. This is due to the 'wpasdomractivateuser' function not verifying that a user has permission to modify other...

CVE-2023-50333

Mattermost fails to update the permissions of the current session for a user who was just demoted to guest, allowing freshly demoted guests to change group names...

EUVD-2024-1107

Malicious code in bioql PyPI...

EUVD-2025-25413

Malicious code in bioql PyPI...

Improper Authorization

github.com/mattermost/mattermost-server is vulnerable to Improper Authorization. The vulnerability is due to insufficient validation of authorization for team scheme role modifications, which allows an attacker Team Admins to demote Team Members to Guests via the affected API endpoint...

Mattermost Server 9.11.x < 9.11.18 / 10.5.x < 10.5.9 / 10.10.0 Incorrect Authorization (MMSA-2025-00485)

The version of Mattermost Server installed on the remote host is affected by a vulnerability as referenced in the MMSA-2025-00485 advisory. - Mattermost versions 10.5.x = 10.5.8, 9.11.x = 9.11.17 fail to properly validate authorization for team scheme role modifications which allows Team Admins t...