CVE-2026-8074 Improper Permission Check Allows User Manager to Deactivate Bot Accounts

Mattermost versions 11.7.x = 11.7.0, 10.11.x = 10.11.17 fail to enforce bot-specific permission checks on the user active status endpoint, which allows a User Manager with user management write access but no Integrations access to deactivate bot accounts via the PUT /api/v4/users/id/active API...

PT-2024-18651 · Zenml Io · Zenml

Name of the Vulnerable Software and Affected Versions: zenml-io/zenml version 0.55.3 Description: An improper authorization issue exists in the zenml-io/zenml repository, specifically within the API "PUT /api/v1/users/id" endpoint. This issue allows any authenticated user to modify the informatio...