Insufficient authorization in shared channel membership sync allows remote cluster to remove users from arbitrary channels
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate that a remote cluster has access to a channel before processing membership removal requests during shared channel membership sync, which allows a malicious remote cluster to remove any user from any channel, including private channels, via crafted membership sync messages targeting channels the remote cluster is not authorized to access. Mattermost Advisory ID: MMSA-2026-00576
Problem Types
| Type | CWE ID | Description |
|---|
| CWE | CWE-863 | CWE-863: Incorrect Authorization |
Type: CWE
Description: CWE-863: Incorrect Authorization
Metrics
| Version | Base score | Base severity | Vector |
|---|
| 3.1 | 4.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N