15 matches found
PT-2026-51223
Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2 Description Improper access control in the public.get org members RPC function allows unauthenticated attackers to enumerate organization members. By using a public sb publishable key and an organization UUID,...
CVE-2026-39374
Plane is an an open-source project management tool. Prior to 1.3.0, the IssueBulkUpdateDateEndpoint allows a project member ADMIN or MEMBER to modify the startdate and targetdate of ANY issue across the entire Plane instance, regardless of workspace or project membership. The endpoint fetches...
PraisonAI has Cross-Workspace IDOR and Privilege Escalation via Platform API
Summary The PraisonAI Platform API has two authorization failures that together break workspace isolation. The service layer for issues and projects performs global primary-key lookups without checking workspace ownership, so any authenticated user can read, modify, and delete resources in any...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization via the API response process. An attacker can access sensitive information about team member roles by invoking various team API endpoints without having elevated permissions. Remediation Upgrade...
CVE-2026-3636
Mattermost versions 11.6.x = 11.6.0, 11.5.x = 11.5.3, 11.4.x = 11.4.4, 10.11.x = 10.11.14 fail to sanitize team member data when returned via API to users without elevated permissions which allows a user without permissions to get data about team members roles via invoking various team API...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization due to insufficient validation of permission requirements in the team member roles API endpoint. An attacker can gain unauthorized privilege to demote users to guest status by exploiting this flaw while...
CVE-2026-26230
A permissions validation flaw has been discovered in mattermost server. Affected versions fail to properly validate permission requirements in the team member roles API endpoint which allows team administrators to demote members to guest role. Mitigation Mitigation for this issue is either not...
CVE-2026-26230
Mattermost versions 10.11.x = 10.11.10 fail to properly validate permission requirements in the team member roles API endpoint which allows team administrators to demote members to guest role. Mattermost Advisory ID: MMSA-2025-00531...
CVE-2026-26230 Team Admin Privilege Escalation to Demote Members to Guest
Mattermost versions 10.11.x = 10.11.10 fail to properly validate permission requirements in the team member roles API endpoint which allows team administrators to demote members to guest role. Mattermost Advisory ID: MMSA-2025-00531...
PT-2026-25813
Mattermost versions 10.11.x = 10.11.10 fail to properly validate permission requirements in the team member roles API endpoint which allows team administrators to demote members to guest role. Mattermost Advisory ID: MMSA-2025-00531...
Mattermost 安全漏洞
Mattermost is an open-source collaboration platform developed by the American company Mattermost. Versions of Mattermost 10.11.10 and earlier, including 10.11.x, have a security vulnerability. This vulnerability stems from improper validation of permission requirements at the team member role API...
PT-2025-43410
Name of the Vulnerable Software and Affected Versions Admidio versions prior to 4.3.17 Description Admidio, a user management solution, contains a SQL injection issue in the member assignment data retrieval functionality. An authenticated user with role assignment permissions can execute arbitrar...
Incorrect Authorization
Overview github.com/mattermost/mattermost/server/channels/app is a private-cloud Slack alternative Affected versions of this package are vulnerable to Incorrect Authorization via the PUT /api/v4/teams/team-id/members/user-id/schemeRoles endpoint. An attacker can modify team member roles without...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization via the PUT /api/v4/teams/team-id/members/user-id/schemeRoles endpoint. An attacker can modify team member roles without proper authorization by sending crafted API requests. Remediation Upgrade...
Improper Access Control
Mattermost Server is vulnerable to Improper Access Control. The vulnerability is due to improper validation when updating team member roles, allowing users with certain administrative privileges to demote other users to guest status through crafted HTTP requests...